Security Best Practices
Implement security measures including two-factor authentication, role-based access, API key management, and audit logging.
Security Overview
Audenci implements multiple security layers: Two-factor authentication (coming soon), Role-based access control (RBAC), API key management, Audit logging, Data encryption at rest and in transit, SOC 2 Type II compliance (in progress). Security is shared responsibility - follow best practices.
Password Requirements
Strong password policy: Minimum 8 characters, Mix of uppercase, lowercase, numbers, symbols, Cannot be common passwords (Password123), Passwords hashed with bcrypt, Password reset via email. Use a password manager for unique, complex passwords.
Never share your password with team members. Use proper role assignment instead.
Two-Factor Authentication (Coming Soon)
Add extra security with 2FA: SMS codes (sent to phone), Authenticator apps (Google Authenticator, Authy), Backup codes (for recovery), Required for Owner and Admin roles (enterprise). Enable 2FA in Settings → Security.
Role-Based Access Control
Principle of least privilege: Assign minimum role needed for job function, Owner (full access) - Limit to 1-2 people, Admin (team management) - Limit to leadership, Manager (content oversight) - Team leads, Creator (create content) - Content team, Viewer (read-only) - Stakeholders. Review roles quarterly and downgrade as needed.
API Key Security
- Never commit API keys to version control (Git)
- Use environment variables for API keys
- Rotate API keys quarterly
- Scope API keys to minimum permissions needed
- Revoke unused or compromised keys immediately
- Monitor API key usage for anomalies
- Use separate keys for dev/staging/production
If API key is exposed (committed to GitHub, leaked), revoke immediately and rotate all keys.
Social Account Security
Secure connected social accounts: Use strong passwords on social platforms, Enable 2FA on all social accounts, Review connected apps and revoke unused ones, Monitor token expiration and refresh proactively, Don't share social account credentials. Compromised social accounts = compromised Audenci access.
Audit Logging
Comprehensive audit logs track: User logins and logouts, Content creation, updates, deletion, Status changes and approvals, Social account connections, Team member invitations and removals, Settings changes, API key creation and revocation. Logs cannot be edited or deleted. Available for 90 days (longer retention for Enterprise).
Access Audit
Regularly audit access: Review all team members quarterly, Remove inactive users immediately, Verify roles are appropriate, Check social account connections, Review API keys and revoke unused, Audit automation permissions. Schedule quarterly access review.
Data Encryption
Audenci encrypts data: At rest (database encryption), In transit (TLS 1.3), Social account tokens (encrypted in database), API keys (hashed), User passwords (bcrypt hashed). No plaintext sensitive data is stored.
Session Management
Session security measures: Sessions expire after 30 days of inactivity, Force logout on password change, Revoke all sessions on request, Monitor concurrent sessions per user (alert on anomalies). Log out on shared computers.
Incident Response
If you suspect security incident: Change your password immediately, Revoke API keys, Notify Admin/Owner, Contact Audenci support (security@audenci.com), Review audit logs for unauthorized access, Document incident for investigation. Report security issues responsibly.
Best Practices
- Enable 2FA when available
- Use unique, strong passwords
- Don't share credentials
- Assign minimum necessary roles
- Review access quarterly
- Rotate API keys regularly
- Monitor audit logs for anomalies
- Report security concerns immediately