Security

Security and compliance are built into the architecture of BargeFlow, not bolted on.

Tenant isolation

Every tenant table carries a company_id and is protected by PostgreSQL Row-Level Security policies that are enabled and forced. A missing tenant context returns no rows.

Authentication

• Magic links are single-use, 30-minute, hashed at rest.
• Passwords use Argon2id.
• JWT access tokens are short-lived; refresh tokens rotate in HttpOnly cookies.
• Entra ID OIDC with PKCE is supported for Microsoft 365 deployments.

Audit and compliance

Append-only audit logs and security events, GDPR export and anonymising delete, magic-byte file validation and image re-encoding all ship by default.

Deployment options

Run multi-tenant SaaS on a dedicated Linux server, or deploy the same image inside your own Microsoft 365 / Azure tenant so all compute, data, mail and documents stay under your control.

Report security concerns to security@bargeflow.app.