Back to CommandVault
Security & Trust
CommandVault

Built for the people who answer to your community.

CommandVault holds the records police chiefs use during IA reviews, in court, and at budget time. Security is not a marketing line for us — it's the floor under everything we ship.

This page tells you exactly what we have today, what we're still building, and what we hand to your IT staff on request. We won't claim certifications we haven't earned.

What's live today

Operational right now in every CommandVault production environment.

TLS / HTTPS in transit

Live today

Every request between officer devices, browsers, and our servers is encrypted with TLS 1.2+.

Bcrypt password hashing

Live today

Passwords are hashed with bcrypt (work factor ≥ 10). We never store nor can we recover plaintext passwords.

TOTP two-factor authentication

Live today

Every user can enable 6-digit TOTP from their settings (Google Authenticator, Authy, 1Password). Each enrollment generates 8 single-use backup codes. Platform / super-admin accounts can enable the same protection.

Role-based access control

Live today

Officer, Supervisor, Admin, Quartermaster, and Platform tiers each see a permission-aware slice of the data. Optional Quartermaster Lock mode restricts inventory mutations to designated quartermasters only.

Multi-tenant isolation

Live today

Every record carries an agency_id and every query is server-side scoped to the caller's agency. Cross-tenant reads are not architecturally possible.

Asset accountability audit trail

Live today

Every assignment, return, kit change, request, and inspection writes an immutable history row. Records survive officer separation — useful for IA reviews and court testimony.

What we're building toward

Honest about where we are. We share roadmap detail under NDA with any agency in active procurement.

CJIS Security Addendum on request

In progress

We support agencies that operate under CJIS technical controls and will sign your CJIS Security Addendum and information-handling agreement on request. Formal third-party CJIS attestation is on our 2026 roadmap — we are intentionally building toward CJIS-aligned operational standards as the platform matures.

SOC 2 readiness

In progress

We are progressively adopting SOC 2 Type II controls. A formal audit is not yet complete; we are happy to walk through our policies, change-management procedures, and access controls with your IT staff.

US-based hosting & data residency

In progress

Customer agency data is hosted on infrastructure operated in the United States. Detailed regional / availability-zone information is available by request under NDA.

Incident response & breach notification

In progress

We monitor server logs and authentication failures for anomalies. In the event of a confirmed security incident affecting your agency, we will notify your designated point of contact within 72 hours and provide a written timeline. Formal incident-response policy is in active development.

Penetration testing

In progress

Comprehensive third-party penetration tests are scheduled for 2026. Existing safeguards include rate-limiting, brute-force account lockouts on auth, JWT signing on sessions, and security-headers hardening.

Backups & retention

In progress

Customer data is included in routine platform backups. Per-agency retention windows can be configured by your administrator. We do not delete agency records unilaterally.

A direct word on CJIS

Many SaaS vendors claim "CJIS compliant" loosely. We don't. CJIS attestation is a formal third-party process and we are working through it in 2026.

What we do today: follow the CJIS technical controls applicable to a cloud-hosted asset management system (encryption in transit, role-based access, audit logging, multi-factor authentication, brute-force protection, session management), sign your CJIS Security Addendum on request, and answer detailed questions from your county IT department.

If a vendor tells you they're already CJIS-compliant without showing you the audit report — ask for the report.

Architecture at a glance

For your IT lead's whitelist request and security review.

Officer device
Browser or PWA on Android / iOS / desktop. TLS 1.2+ outbound only.
Quartermaster kiosk
Shared tablet at the supply room. Time-boxed token, PIN per officer.
Admin / chief desktop
Modern browser, MFA-protected, audit-trail every action.
TLS 1.2+ · HTTPS only
Edge / CDN
Static assets + WAF + rate-limiting. No long-lived secrets here.
CommandVault API
FastAPI · JWT httpOnly cookies · per-agency request scoping · audit log.
Background workers
Scheduler · email digests · retention · inspection reminders. No direct ingress.
Internal VPC · encrypted at rest
Database (MongoDB)
Multi-tenant. Every record carries agency_id. US-region. Daily encrypted backups.
Object storage
Asset photos, receipts, exported PDFs. Pre-signed URLs only — never public.
3rd-party (egress only)
Resend (transactional email), Web-Push (browser push). No customer data sold to third parties.
For your IT whitelist
  • App is served exclusively over https:// on port 443.
  • Whitelist your CommandVault tenant subdomain (e.g. your-agency.commandvault.app) and the apex commandvault.app.
  • No inbound connections to the agency's network are required. Push notifications use Web-Push from the browser.
  • Officers' devices need outbound HTTPS to the tenant subdomain only — no VPN, no installed agent.
  • If your network filters by IP range, request the egress block on NDA — we keep it short and stable.

Need a printable PDF of this architecture for procurement? Email security@commandvault.app.

Questions we get from IT staff

Talk to us before you sign

Bring your IT lead, your county procurement, and your CJIS coordinator. We'll walk through every control above, share our policy documents, and answer hard questions. Most security reviews complete in 1–2 weeks.

Security questions: security@commandvault.app
Procurement questions: hello@commandvault.app