Security & Trust

Security is the foundation — not a feature

AMAlina is built so that access decisions are enforceable, auditable, and defensible. In practical terms, it helps ensure people get only the access they need, and changes are controlled through clear policy-driven flows.

• Encrypted communication (HTTPS/TLS) for UI and services
• Server-side validation on every API request
• Time-bound sessions (tokens expire automatically)
• Audit visibility into access changes and policy outcomes

Layered controls across identity, access, and audit

AMAlina applies defense-in-depth: authentication artifacts are time-bound, tokens are validated, and authorization is enforced server-side — not trusted from the browser.

• Authentication: centralized IdP with short-lived exchange artifacts
• Token security: signed JWTs with issuer/audience + expiry validation
• Authorization: server-side permission checks per request
• Audit: traceability for authentication events and access changes

Security mechanics (high-level)

AMAlina uses signed JWT-based session control with server-side validation. Authentication exchange artifacts are short-lived, and API calls are authorized on each request. Sensitive secrets remain server-side.

• Signed JWT sessions with strict validation (issuer / audience / expiry)
• Session-scoped token storage (browser session context)
• Server-side authorization checks per endpoint/method
• Separation of concerns: IdP / SP responsibilities and REST enforcement

Authentication & SSO

AMAlina supports centralized authentication through its IdP and can participate in SSO flows. Authentication occurs over TLS. Login exchange artifacts are time-bound to reduce exposure windows.

• Encrypted transport (HTTPS/TLS)
• Short-lived authentication exchange artifacts
• Server-side token validation before session establishment

Token & Session Safety

AMAlina sessions are time-bound. Tokens are validated server-side and expire automatically. Tokens may be stored in browser session storage (session-scoped context) to avoid long-lived persistence.

• Signed JWTs with expiry validation
• Issuer and audience validation
• Session-scoped storage (non-persistent across full browser restarts)

Authorization Policy Enforcement

Authorization decisions are enforced server-side for every request. AMAlina does not rely on client-side checks to grant access. Policies and roles govern what a user can do.

• Server-side validation for each API request
• Method/endpoint access controls
• Policy-aware controls (including SoD where configured)

Transport & Deployment Security

AMAlina supports on-prem deployments and single-tenant VPC patterns where customers control network boundaries, administrative access paths, and operational hardening.

• HTTPS/TLS for UI and services
• Network boundary control (on-prem or VPC)
• Least-privilege connectivity model (recommended)

Audit & Traceability

AMAlina records security-relevant activity to support audits and investigations, including authentication events, access changes, and policy outcomes.

• Authentication events
• Access grants, revocations, and changes
• Policy violations and outcomes
• Administrative actions (where applicable)

Compliance Alignment

AMAlina is designed to support organizations aligning with common security and compliance frameworks (depending on overall deployment controls and processes).

• ISO 27001 (alignment support)
• SOC 2 (alignment support)
• SOX (alignment support)

Security Brief (Available Under NDA)

For enterprise security assessments, we can share deeper documentation under NDA, including deployment hardening guidance, operational controls, and implementation details appropriate for a security review.