Security & Device Verification

Two-factor Authentication (2FA)

The platform supports multiple layers of two-factor authentication to protect your account:

• Authenticator App — Compatible with Google Authenticator, Microsoft Authenticator, Authy, and other TOTP-based apps. Generates time-based one-time codes for login verification.
• SMS Verification — One-time codes sent to your verified phone number for sensitive actions and login confirmation.
• SIM-Level Verification (Android) — Silent carrier-level identity verification with no codes to enter.
• Apple Device Attestation (iPhone) — App Store account verification including account creation date.

Administrators can require one or more of these methods depending on the security level needed for each role. Higher privilege roles can be configured to require additional verification layers.

Profile-Based Access Control

Each user receives a server-enforced permission profile that controls both what they see in the interface and what the API allows them to access:

• Visual Profile Creator — Administrators preview the exact user interface with checkboxes overlaid on every menu, section, button, and data field. Uncheck elements, save as a profile — access is configured instantly, visually.
• 5 Built-in Templates — Super Admin, Admin, Manager, Employee, Viewer — or create fully custom profiles from scratch.
• Field-Level & Document-Level Masking — Hide specific data fields (phone numbers, addresses, salaries), mask specific words or numbers within documents, or hide entire paragraphs from certain roles. You control what each person sees down to individual words.
• Per-Interest-Point Access — Each Interest Point can have its own access rules. Invite external participants to a specific Interest Point with restricted visibility while internal members retain full access — ideal for negotiations, collective agreement voting, insurance onboarding, or client portals.
• Groups — Create groups to manage permissions at scale. Assign a profile to a group and every member inherits it instantly.
• Knowledge Vault Integration — Access control extends into your document intelligence layer. When a rule changes, the system instantly flags every related document across all Interest Points and notifies the designated owners.
• Server-Enforced — Even if someone crafts manual API calls, the gateway blocks unauthorized actions. No client-side bypass possible.
• Per-Document Roles — Writer, Reader, Drop-only, or None access for each document, with AI analysis toggle per role.

Hierarchical Security Cascade (Federal Model)

Security and configuration rules follow a strict hierarchical model where the most restrictive rule always wins:

• Platform Minimums — Baseline security standards enforced by the platform itself (encryption, authentication, rate limiting). These are the absolute floor — no one can go below them.
• Client Federal Entity — Beyond IT builds and configures the federal entity for you, then delivers full super-admin access to your organization. Once delivered, Beyond IT has zero access to your data and cannot interfere with your policies, settings, or governance rules. Think of it like a building contractor handing over the keys — once you have them, the contractor can no longer enter.
• Organization — Company-wide policies added on top of your federal rules.
• Department / Group — Team-specific restrictions. Inherits from organization.
• Individual — Personal extras only. Cannot relax group, org, or federal policies.
• Time-Based — Scheduled security policies: "Every Monday 8 AM → full re-verification" or "During holidays → enforce TOTP for all logins."

Custom compliance rules can be rapidly created by our AI developers using embedding technology.

Connections Hub & Integration Security

The platform provides a unified Connections Hub with 5 integration categories:

• Storage (14 providers) — Google Drive, OneDrive, Dropbox, Amazon S3, GCP Cloud Storage, Azure Blob, Custom URL, Platform Storage, FTP, SFTP, WebDAV, SMB, Local/On-Prem, MinIO.
• Identity — SSO, SAML, SCIM provisioning for enterprise user management.
• Messaging — Microsoft Teams, Slack, Discord — for automated notifications and alerts.
• Data Targets — CRM (Salesforce, HubSpot, Pipedrive), Accounting (QuickBooks, Xero, FreshBooks), HR (BambooHR, Workday, ADP), Project Management (Jira, Asana, Monday, Trello, Linear), E-commerce (Shopify, Square).
• Code Repos & Repository AI — Connect your Git, GitHub, GitLab, or Bitbucket repositories and make your code intelligent. The AI indexes your entire codebase via embedding, enabling semantic search, change impact analysis, vulnerability detection, and automatic documentation. Every commit is analyzed — the AI understands your code like a senior developer would.

Overflow & Resilience: Failover, round-robin, cascade, replicate, or archive strategies. Health monitoring with up to 10 alert channels.

DLP Scanning: All imported files pass through automatic Data Loss Prevention scanning.

Event Streaming & Metrics

Every significant platform event — logins, document changes, agreement seals, storage operations, AI interactions — is captured. Export to:

• Google Pub/Sub — Native integration for real-time event streaming.
• Apache Kafka — Connect to your Kafka cluster for high-throughput event processing.
• Webhooks — Push events to any HTTP endpoint — compatible with Zapier, Make, n8n.
• Datadog / New Relic / Grafana — Export health metrics, API latency, error rates.
• Custom Event API — Build your own consumers with our structured JSON event schema.

All streams are authenticated with scoped API keys and encrypted in transit. Your federal entity controls which events are emitted.

On-Premises Deployment

Install the entire platform on your own infrastructure. Plug your own AI models, databases, storage, and operate with full data sovereignty. No data ever leaves your network. Ideal for banking, healthcare, and government.

Incident Response Plan

Beyond IT maintains a comprehensive incident response procedure:

• Detection — Real-time monitoring, anomaly detection via AI, and automated alerting for suspicious activity.
• Classification — Incidents are classified by severity (P1 Critical, P2 High, P3 Medium, P4 Low) and escalated accordingly.
• Containment — Immediate isolation of affected systems. Compromised accounts are suspended and devices revoked within minutes.
• Notification — Affected users and organizations are notified within 72 hours of confirmed data breaches, as required by PIPEDA, GDPR, and other applicable laws.
• Recovery — Systems restored from verified backups. Post-incident review within 7 days.
• Documentation — Full audit trail of all incident response actions, stored immutably.

Backup & Disaster Recovery

• Automated backups — Firestore data is automatically backed up by Google Cloud with point-in-time recovery capability.
• Geographic redundancy — Data is replicated across multiple geographic zones within North America.
• Recovery Time Objective (RTO) — Target: service restoration within 4 hours for critical systems.
• Recovery Point Objective (RPO) — Maximum 1 hour of data loss in worst-case scenarios.
• BYOS protection — If you use Bring your own storage, your data is additionally protected by your own provider's backup policies.

Vulnerability Management & Compliance Roadmap

• Dependency scanning — Automated scanning of all software dependencies for known vulnerabilities.
• Regular updates — Security patches applied promptly. Dependencies kept current.
• Code review — All security-sensitive code changes reviewed before deployment.
• Third-party risk — All subprocessors (Google Cloud, Firebase, telephony providers) are vetted for security certifications and data handling practices.
• SOC 2 Type II — Our architecture and controls are designed toward SOC 2 compliance. Formal audit is on our compliance roadmap.
• ISO 27001 — Information Security Management System principles are embedded in our development and operations practices.
• Target uptime — 99.9% availability target for all production services, monitored 24/7.