Enterprise Security Compliance

🔒 Security Status

Edge Infrastructure: Cloudflare global network with DDoS protection & WAF · Data Encryption: AES-256 at rest, TLS 1.2+ in transit · Biometric Templates: Encrypted, never stored as raw images

1. Infrastructure Security

🌐

Cloudflare Edge Network

All FaceAccess services are deployed on Cloudflare's global edge network (Cloudflare Pages & Workers). This provides automatic DDoS protection, global content delivery, and Web Application Firewall (WAF) protection. Traffic is filtered at the edge before reaching application logic.

🔐

Encryption at Rest and In Transit

All data at rest including biometric embeddings, user credentials (bcrypt-hashed passwords), and access logs are stored encrypted. All data in transit uses TLS 1.2 or higher. Sensitive configuration values (API keys, secrets) are stored as Cloudflare encrypted secrets and never exposed in application code.

🛡️

Serverless Security Model

FaceAccess runs on a serverless edge architecture with no persistent server processes that could be compromised. Each request is handled in an isolated Cloudflare Worker environment. There is no SSH access, no persistent root processes, and no long-running server to maintain.

🗄️

Cloudflare D1 Database

All persistent data including user records, access event logs, and biometric templates are stored in Cloudflare D1 (distributed SQLite). The database is isolated to the FaceAccess application namespace, access-controlled by Cloudflare's platform security, and backed up with point-in-time recovery.

2. Authentication and Access Control

User Authentication

Passwords are stored using bcrypt hashing with per-user salts — plaintext passwords are never stored
Session tokens are cryptographically random, time-limited, and invalidated on logout
SMS two-factor authentication is available for sensitive account operations
Facial biometric authentication provides a second factor for physical access points

Rate Limiting and Abuse Prevention

Login attempts are rate-limited: 5 attempts per minute per IP address
Face verification attempts are limited: 5 per minute with progressive lockout up to 60 seconds
API endpoints implement request throttling and input validation
All authentication events (login, logout, face match, failed attempts) are logged with IP address and user agent

Admin Access Controls

Role-based access control (RBAC): Admin, Operator, and Viewer roles with distinct permission sets
Admins may manage users, doors, and access policies; Operators have limited management rights; Viewers have read-only access
All administrative actions are logged and auditable

3. Biometric Data Security

Biometric templates are stored as encrypted 128-dimensional floating-point vectors — never as photographs or video
Raw camera frames are processed in-browser and discarded immediately after embedding extraction; they are never transmitted to or stored on FaceAccess servers
Template comparison occurs server-side using cosine similarity against stored encrypted templates
Biometric data is isolated in dedicated database columns with restricted application-level access
Enrollment metadata (angles captured, quality scores, enrollment version) is stored separately from the template for security compartmentalization

4. Application Security Controls

Input Validation

All API inputs are validated and sanitized. Maximum field lengths enforced. SQL injection prevention via parameterized queries only.

XSS Protection

All user-generated content is HTML-escaped before rendering. Content Security Policy headers applied at the edge.

CORS Policy

Cross-Origin Resource Sharing is restricted to approved origins. API endpoints enforce proper CORS headers.

Secret Management

API keys and credentials stored as Cloudflare encrypted secrets. No secrets in source code or version control.

Dependency Management

Minimal dependency footprint. Dependencies reviewed for known vulnerabilities. Build artifacts audited before deployment.

Error Handling

Production error responses never expose internal stack traces, database schema, or system configuration details.

Audit Logging

All authentication events, access decisions, admin actions, and enrollment events are logged with timestamp, IP, and user agent.

Anti-Spoofing

Multi-frame liveness detection rejects printed photos, phone screens, and 3D masks with anti-spoof threshold of 0.72/1.0.

5. Compliance Framework Alignment

FaceAccess is designed to align with the following frameworks and regulations:

BIPA (Illinois): Written consent, biometric retention policy, prohibition on sale
CCPA/CPRA (California): Right to know, delete, and opt out of sale (we do not sell data)
TCPA/CTIA: Opt-in SMS consent, STOP/HELP keywords, carrier compliance
GDPR (EU users): Lawful basis for processing, data subject rights, data minimization principles
NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover controls implemented
OWASP Top 10: Application security controls implemented against OWASP Top 10 vulnerabilities

6. Incident Response

In the event of a security incident involving personal or biometric data:

FaceAccess maintains an incident response plan with defined escalation procedures
Affected users will be notified within 72 hours of confirming a breach affecting their data, consistent with applicable law
Regulatory notification will occur where required (e.g., state AG notification under applicable breach laws)
A post-incident review will be conducted to identify and remediate root causes

To report a security vulnerability: support@faceaccess.com with subject "Security Vulnerability Report".

7. Data Residency and Processing

FaceAccess data is processed and stored within Cloudflare's global infrastructure. Cloudflare operates data centers in the United States and internationally. Users in the European Union should note that data may be transferred to the United States. FaceAccess relies on Cloudflare's Data Processing Agreements and Standard Contractual Clauses for international data transfers.

8. Vendor Security

FaceAccess evaluates third-party vendors for security posture before integration. Current approved vendors:

Cloudflare: Infrastructure, CDN, WAF, database, secrets — SOC 2 Type II certified
Twilio: SMS delivery — ISO 27001 certified, HIPAA-eligible, SOC 2 Type II

Vendor access to FaceAccess data is limited to what is strictly necessary for service delivery and governed by Data Processing Agreements.

9. Business Continuity

FaceAccess is built on Cloudflare's globally distributed infrastructure providing high availability and automatic failover. Cloudflare's 99.99% uptime SLA covers the underlying edge network. Application-level redundancy is provided through Cloudflare Pages and Workers distributed architecture.

10. Security Inquiries

Enterprise customers may request a Security Questionnaire response, Sub-Processor list, or Data Processing Agreement by contacting:
support@faceaccess.com