Your demat is sacred.
Holding strangers' MeroShare credentials is a serious responsibility. Here's how we treat it.
Encrypted at rest
MeroShare username, password, transaction PIN, and CRN are stored as AES-256-GCM ciphertext. The master key is read from an environment variable and never written to the database.
Decryption is audited
Every time we decrypt a credential to log in for you, we write an entry to the audit log with the reason, target, and IP. You can see your own entries in /logs.
Role-based access
Three roles: USER, ADMIN, SUPER_ADMIN. Admin pages are gated in middleware and via server-side checks. Admins never see plaintext credentials — only labels and metadata.
Suspension is instant
A suspended user cannot sign in and any scheduled run is skipped at fire time. Admins can suspend with a reason captured in the audit log.
New-IP alerts
When your account signs in from an IP it hasn't used before, we email you immediately. You can disable this in /settings/notifications (but we recommend leaving it on).
Full audit log
Sign-ups, sign-ins, MeroShare CRUD, every Playwright run, every preference change — all logged with timestamp and IP. Available to you under /logs, to admins under /admin/logs.
On the roadmap (Phase 3b)
- Envelope encryption: per-user data-encryption keys wrapped by a KMS-held key
- Mandatory TOTP 2FA
- Email verification before adding any MeroShare account
- Mobile OTP at signup
- Cloudflare Turnstile on auth pages
- Per-IP rate limiting
- Session revocation (forced sign-out)