Security and Audit

KaliaOps records all actions for complete traceability.

Recorded information

Each action generates an audit entry containing:

• Who: User who performed the action
• What: Action type (create, modify, delete)
• When: Precise timestamp
• Where: IP address and user-agent
• Detail: Before/after modification data

Tracked actions

Access

1. Menu Settings → Audit
2. Filter by user, entity, period
3. View action details

Retention

Audit logs are retained per your contract (minimum 1 year).

Two-factor authentication enhances account security.

Principle

After password, user enters a temporary code generated by a TOTP app:

• Google Authenticator
• Microsoft Authenticator
• Authy
• 1Password

Mandatory 2FA

Administrator accounts must enable 2FA. Access is blocked until 2FA is configured.

Backup codes

KaliaOps generates 10 single-use backup codes:

• Use if you lose your phone
• Each code is valid only once
• Store securely (vault, password manager)

Recovery

If you lose all access:

1. Contact another administrator
2. They can disable your 2FA
3. Reconfigure 2FA on next login

API tokens enable secure integration with external systems.

Token security

• Hashing: Tokens are hashed in database (never in plain text)
• Single display: Token is only visible at creation
• Immediate revocation: Compromised tokens can be revoked instantly

Granular scopes

Limit each token's permissions:

Expiration

Configure expiration date for each token:

• 30 days for testing
• 1 year for stable integrations
• No expiration (not recommended)

Best practices

• One token per integration
• Minimum required scopes
• Regular token rotation
• Audit unused tokens

KaliaOps automatically protects sensitive data via the FieldGuard system.

Protected fields

How it works

FieldGuard automatically filters:

• CSV/PDF exports
• API responses
• Views for unauthorized users

Masking

Protected data is replaced with *** for users without permission.

Extension

The system can be extended to protect other fields per your compliance needs.

KaliaOps guarantees strict isolation between tenants.

Architecture

Each tenant has:

• Its own isolated data
• Independent configuration
• Own users and roles

Row Level Security

PostgreSQL automatically applies RLS policies:

• Every query is filtered by tenant_id
• Impossible to access another tenant's data
• Database-level protection (not just application)

Isolated sessions

• Sessions are tied to a single tenant
• Tenant switch requires new authentication
• API tokens are scoped per tenant

Security audits

Isolation is regularly verified by:

• Automated tests
• External security audits
• Periodic pentests

Compliance

This architecture meets requirements for:

• GDPR (data protection)
• ISO 27001 (information security)
• SOC 2 (security controls)