We treat security as a first-class feature — not an afterthought. Here is how we protect your business data.
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. API communication between your browser and our servers is always over HTTPS.
JWT-based authentication with short-lived tokens and secure httpOnly cookies. Role-based access control (RBAC) with three levels — Superadmin, Org Admin, and Member — limits what each user can see and do.
Every organisation's data is logically isolated at the database level. No cross-tenant data leakage is possible by design — all queries are scoped to the authenticated organisation.
Critical financial and inventory actions are logged with timestamps, user identity, and before/after values. Audit logs are immutable and cannot be deleted by organisation users.
All API endpoints are rate-limited to prevent brute-force and denial-of-service attacks. Authentication endpoints use stricter limits with automatic lockout.
Production databases are backed up daily with point-in-time recovery. Backups are stored in a separate region and retained for 30 days.
We conduct periodic security reviews and penetration tests. Critical vulnerabilities are patched within 24 hours; moderate within 7 days.
Found a vulnerability? We welcome responsible disclosure. Email security@bmssuite.online with details and we will respond within 48 hours. Please do not disclose publicly until we have had a chance to address the issue.
If you discover a security issue, please contact us privately before any public disclosure.
security@bmssuite.online