What's New

Curated record of meaningful changes to the AuditFlow Service. Routine internal refactors and dependency bumps are excluded; security-relevant entries are tagged.

June 2026 — Subscription model & editable site policies

2026-06-06

Feature Super admin can now set a seat cap, flat subscription price, currency, and billing frequency per customer at account creation. Customer admins are technically prevented from exceeding the cap and see their seat usage on the User Management screen.
Feature Site policies (Privacy, Terms, Trust, Security, this Change log) are now editable directly from the in-app admin without a redeploy. Company-wide variables (legal name, registered address, governing law) are managed in one place and substituted into every rendered policy.
Feature Public Security & Responsible Disclosure page with explicit safe-harbor language for security researchers.

June 2026 — Engineering process & legal documentation

2026-06-04

Feature Public Privacy Policy, Terms of Service, and DPA template aligned to Egypt PDPL, KSA PDPL, UAE PDPL, and GDPR.
Internal Change management, code-review, asset-inventory, vendor-risk, and environment-isolation policies published in the repo. PR template and CODEOWNERS enforce them on every change.
Internal Operational runbooks for incident response, secrets rotation, email authentication (SPF/DKIM/DMARC), and backup/DR.

June 2026 — Data-subject rights tooling (DSAR)

2026-06-03

Feature Tenant admins can export everything we hold about a named user as a structured JSON file (right of access).
Feature Tenant admins can anonymise a named user: identifying attributes are replaced with stable redacted placeholders so the audit trail stays intact under the redacted name (right of erasure).
Security Both actions are logged in the per-tenant activity log.

June 2026 — Hash-chained audit log & intrusion-detection alerts

2026-06-02

Security Every privileged action is now chained into an append-only SHA-256 hash chain. Silent tampering with the underlying tables becomes detectable; the Activity Log page surfaces a green / red integrity verdict on page 1.
Security Daily intrusion-detection scan emails the account owner when we spot lockouts, IP-enumeration sweeps, or distributed brute-force patterns against their tenant.

May 2026 — Rate limiting, IP allowlist, response headers

2026-05-30

Security Per-IP rate limits on the sign-in, password-reset, account-activation, and resend-activation endpoints.
Feature Optional per-tenant IP allowlist: enterprise customers can restrict sign-ins to their corporate network or VPN.
Security HSTS (1 year, includeSubDomains), Content-Security-Policy, X-Frame-Options DENY, Referrer-Policy and Permissions-Policy headers added in production.

May 2026 — Auth foundations

2026-05-25

Security TOTP-based multi-factor authentication with single-use, bcrypt-hashed backup codes.
Security Self-serve password reset and admin-initiated email-verified account activation flows.
Security Account lockout after 5 failed sign-ins; 15-minute cooldown; every attempt logged.
Security 30-minute idle / 12-hour absolute session timeout; HttpOnly + Secure + SameSite=Lax session cookies.
Security 12-character password policy with class-diversity and common-password blocklist (NIST 800-63B aligned).