Last updated: 2026-04-17
We never see or store your plaintext password. Passwords are bcrypt-hashed server-side at cost factor 12 before any disk write.
On every password change we query the Have I Been Pwned database using k-anonymity (SHA-1 prefix only, the full hash is never transmitted). Passwords that appear in any known breach are rejected.
10 consecutive failed logins within 30 minutes triggers a 30-minute account lockout. Per-account, not per-IP, so one attacker cannot lock out a legitimate user from a shared NAT.
Login and forgot-password responses are constant-time and return the same shape regardless of whether the email exists. Attackers cannot confirm account presence through timing or response differences.
Session ID is regenerated on login, on role change, and on password change.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Enforced at the edge.
Session cookie lnb.sid is HttpOnly (not readable by JavaScript), Secure (HTTPS only), SameSite=Lax, with an 8-hour rolling TTL.
CSP blocks inline scripts by default (with page-scoped exceptions), restricts connect-src, frame-src, and form-action to first-party, and sets frame-ancestors 'none' against clickjacking.
X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: no-referrer, Cross-Origin-Opener-Policy: same-origin.
Every gated page is wrapped in role middleware (requireAdmin, requireInvestorOrAdmin, requireDistributorOrAdmin, etc.). No "security through URL obscurity" — every request is evaluated.
Investor and distributor data rooms are accessible only after the user has executed our Non-Circumvention Non-Disclosure Agreement. We record the exact session that accepted it.
Every document view in a gated data room is watermarked with the authenticated viewer's identity so any breach is attributable.
Separate single-purpose gate. Access is independent from the rest of the auth system and expires on a server-side date (HARRINGTON_EXPIRES).
Login: 5 attempts / 15 min per IP. Forgot-password: 3 requests / hour per IP. Any admin-only endpoints: 60 rpm per admin session.
The server refuses to serve internal files (server.js, users.json, .env, /.git/, *.md, *.log, CLAUDE_PROMPT.md) and returns 404 even if requested directly.
Every login, password change, password reset, approval/denial, data-room access decision, and admin action is written to an append-only JSON-lines audit log with timestamp, email, IP, user-agent, and result.
Every outbound email records recipient, template, timestamp, delivery status, and message-ID (when returned by the transport) in a separate email audit log.
No Google Analytics. No Meta / Facebook Pixel. No LinkedIn Insights, TikTok Pixel, or any third-party advertising tracker. Our analytics engine runs server-side and aggregates only.
Only Google Workspace (email), Google Drive (video hosting), Google Fonts (typography), and Railway (hosting) process any data on our behalf. Full list at /legal/subprocessors.html.
We delete data when the purpose it was collected for is complete. Full retention schedule at /privacy.html § 4.
We welcome reports from security researchers. See our security.txt (RFC 9116) for the canonical machine-readable contact. In scope: blokusa.com and all subdomains, /api/* endpoints, authentication and session handling, data room access controls. Out of scope: denial of service, social engineering of staff, third-party services (Google, Railway). Please do not access, modify, or delete data that is not your own. We will respond to any valid report within 3 business days.
Report to: info@blokusa.com with "Security Report" in the subject line.
We do not currently publish a PGP key. For encrypted correspondence with the security team, email us first and we will coordinate a secure channel (Signal or a one-time PGP key generated for the engagement).
We are a small company and are transparent about what we do and do not have:
We are happy to complete reasonable customer security questionnaires on request.
Security team: info@blokusa.com · Lok-N-Blok Systems LLC · 504-913-3606