Home Platform Security About Contact

Security is not a feature.
It is the architecture.

Vistiga handles sensitive law enforcement data. Every design decision - from authentication to data storage - is made with that responsibility as the primary constraint.

MFA + eID
Multi-factor authentication
RBAC
Case-scoped access control
100%
Actions audit-logged
AES-256
Encryption at rest

Identity verification at every session.

Vistiga uses a two-step authentication model: password-based primary authentication followed by TOTP (Time-based One-Time Password) verification. Sessions are scoped, time-limited, and tied to the originating IP address and user agent.

  • Password + TOTP
    Two-factor authentication using industry-standard TOTP with configurable time windows. Compatible with Google Authenticator, Authy, and similar apps.
  • National eID Integration
    Organizations can require government-issued electronic identity verification - such as BankID, NemID, or eIDAS-compliant providers - ensuring verified identity on every login and sensitive action.
  • Session Management
    Sessions expire after 7 days of inactivity. Each session is bound to a unique cryptographic token stored in a secure, HTTP-only cookie.
  • Bcrypt Password Hashing
    Passwords are hashed using bcrypt with a cost factor of 12. Plaintext passwords are never stored or logged.
  • Failed Login Tracking
    All failed authentication attempts are logged with IP address and timestamp for security monitoring.

Access scoped to what you need.

Vistiga implements role-based access control at two levels: organization-wide roles and case-specific roles. An investigator can only access cases they've been explicitly assigned to. No global read access exists.

Organization Roles
Admin
Full access

User management, organization settings, audit log access, all case visibility.

Investigator
Assigned cases

Full access to assigned cases. Can create subjects, add identifiers, review findings.

Viewer
Read-only

Read-only access to assigned cases. Cannot create, modify, or review data.

Case Roles
Lead

Full case control. Can add/remove members, close the case, and manage all data.

Member

Can add subjects, identifiers, and review findings. Cannot modify case settings.

Viewer

Read-only access. All views are still logged in the audit trail.

Immutable. Append-only. Complete.

The audit log records every significant action taken in Vistiga. Entries cannot be modified or deleted by any user, including administrators. The log is designed to serve as a reliable evidentiary record of system activity.

Logged Actions Include
Authentication
Login, logout, failed attempts
Case Activity
Create, view, update, close
Subject Management
Create, view, update subjects
Identifiers
Add, delete identifiers
Finding Review
Review, mark actionable, dismiss
User Management
Create, update, deactivate
Each Entry Contains
  • Timestamp - precise to the second
  • User identity - authenticated user who performed the action
  • IP address - source IP of the request
  • Case context - which case the action relates to
  • Action details - structured metadata about what changed

Defense in depth.

Data protection is implemented at every layer - from transport encryption to application-level access controls and storage encryption. No data leaves the system without explicit authorization.

  • TLS 1.3 In Transit
    All connections are encrypted using TLS 1.3. HTTP requests are automatically redirected to HTTPS.
  • AES-256 At Rest
    Database storage uses AES-256 encryption. Backups are encrypted with separate keys.
  • Prepared Statements
    All database queries use parameterized prepared statements, eliminating SQL injection vectors.
  • Output Encoding
    All user-generated content is HTML-encoded on output, preventing cross-site scripting attacks.
  • Secure Cookie Handling
    Session tokens are stored in HTTP-only, secure, SameSite cookies - inaccessible to client-side scripts.

Designed for regulatory requirements.

Vistiga's architecture aligns with established security and data protection frameworks. The platform is designed to support organizations operating under strict regulatory and legal obligations.

GDPR Alignment

Data minimization, purpose limitation, and right-to-erasure capabilities built into the data model. Processing is limited to what is necessary for the stated investigative purpose.

Law Enforcement Directive

Designed to comply with Directive (EU) 2016/680 governing personal data processing for law enforcement purposes, including logging and access control requirements.

Audit Readiness

Complete, immutable audit trails that satisfy internal review, oversight bodies, and judicial examination. All entries are timestamped, attributed, and contextual.

Questions about our security posture?

We welcome detailed security inquiries from prospective and current clients. Contact us for additional documentation or to schedule a security review.

Get in Touch