# SYSADMINS — Pre-filled Vendor Security Checklist > Last updated: 2026-06-02 > Product: SYSADMINS > Classification: Public summary (capability-based; no stack fingerprinting). > Infrastructure-specific controls (hosting, backups, DDoS, WAF) depend on your deployment. --- ## Product overview **What is SYSADMINS?** SYSADMINS is a multi-tenant operational SaaS platform for IT and security teams: change management, asset inventory, vendor tracking, documentation, policy governance, risk register, incidents, audit history, and a trust center for compliance document sharing. **Where is customer data stored?** Application data is stored in a relational database. Uploaded compliance files (vendor contracts, trust center documents, etc.) are stored on tenant-scoped private storage — never on public static URLs. ## Tenant isolation & access control **Is the platform multi-tenant?** Yes. Each customer is an organization (tenant). Data is scoped to the signed-in user's organization throughout the application. File downloads verify organization ownership and role permissions before any content is returned. **How is access controlled?** Role-based access control (RBAC) with organization-scoped roles (org admin, owner, admin, member, auditor, etc.). Optional per-user module grants can further restrict module access. Platform administrators are isolated to the operator tenant. **Can one tenant access another tenant's data?** Not through normal application flows. Queries and file access are tenant-scoped. Cross-tenant access is rejected. Actions that span organizations require platform administrator privileges. ## Application security **Is the application protected against SQL injection?** Yes. Database access uses parameterized queries via an object-relational layer. Application code does not build SQL by concatenating untrusted user input. **Is CSRF protection enabled?** Yes. Cross-site request forgery protection is enabled for state-changing requests. Trusted origin allowlists can be configured for reverse-proxy deployments. **Are uploaded files served from public URLs?** No. Compliance uploads are stored outside public static paths. Downloads require an authenticated session and pass role and tenant checks before streaming. **What file types are allowed for upload?** Allowlisted extensions (PDF, Office documents, CSV, TXT, PNG, JPEG, etc.). Dangerous types (HTML, JavaScript, executables, scripts) are blocked server-side. Upload size is limited by a configurable maximum (default 25 MB). **Is path traversal prevented for stored files?** Yes. Storage paths are validated to stay within the configured upload root and must match the owning organization before read. ## Authentication & sessions **How are passwords stored?** Passwords are hashed with a modern adaptive algorithm (one-way, unique salt per password). Plaintext passwords are not stored. **What password policy is enforced?** Minimum length defaults to 14 characters (organization-configurable). Maximum 128 characters. Common passwords are rejected via a denylist. Organizations can configure password history requirements. **How are sessions managed?** Opaque session tokens stored as hashes server-side. Session cookies are HttpOnly and SameSite=Lax. Configurable idle timeout (default 15 minutes) with client warning. Absolute session lifetime capped at 7 days. Sessions can be revoked individually or in bulk by administrators. **Is multi-factor authentication (MFA) supported?** Yes. TOTP-based MFA with recovery codes. Organizations can require MFA for administrators and optionally all users. MFA secrets are encrypted at rest. **Are login brute-force attacks mitigated?** Yes. Rate limiting by email and IP, progressive delays, and account lockout after repeated failed attempts. Generic error messages avoid account enumeration. **How do password reset and user invites work?** Single-use tokens with expiration. Tokens are stored hashed. Successful password reset revokes active sessions. ## Encryption & network security **Is data encrypted in transit?** Yes. Production deployments are intended to be served over HTTPS (TLS 1.2 or higher). Session cookies use the Secure flag when HTTPS is enabled. Outbound email supports TLS/STARTTLS. **Is data encrypted at rest?** Application-layer: passwords are one-way hashed; sensitive authentication material (such as MFA secrets) is encrypted at rest. Database and filesystem encryption at rest depends on deployment infrastructure (e.g., encrypted database volumes, encrypted application host disk). ## Logging, audit & accountability **Is security-relevant activity logged?** Yes. Security events include login success/failure, password changes, MFA enrollment, session revocation, and related actions with IP and user-agent metadata where available. **Is operational activity auditable?** Yes. Append-only audit events record module actions (changes, documents, assets, vendors, files, etc.). Organization administrators can review audit history where permitted. **Are audit logs tamper-evident or immutable in the application?** Application code does not update or delete audit rows. Retention and backup immutability depend on operator deployment and database policies. ## Compliance & certifications **Does SYSADMINS hold SOC 2 / ISO 27001 certification?** Not at this time. The product includes controls operators expect (tenant isolation, RBAC, audit logging, secure sessions, MFA). Formal third-party certifications may follow as the platform matures. **Does the product include a trust center for sharing compliance documents?** Yes. The Trust module lets organizations upload compliance artifacts and assign published documents to client contacts for authenticated download through the client portal. **Is a more detailed technical checklist available?** Yes. Authenticated customers with Trust module access can download a detailed checklist (including implementation specifics for due diligence) from the Trust center in the application. ## Customer responsibilities **What is the customer responsible for?** Choosing strong passwords, enabling MFA, managing user access, configuring org security policy, and ensuring HTTPS/TLS termination and infrastructure hardening in self-hosted or private deployments. **Can this checklist be customized?** Yes. Download the latest public version from the SYSADMINS marketing site, or the detailed version from Trust for customer security reviews. --- _Public summary from SYSADMINS marketing materials. For organization-specific settings, sign in and visit Admin → Security. For implementation details, download the detailed checklist from Trust._