Security & infrastructure overview

SevenSkies protects organiser and traveller data with layered controls that cover encryption, access, monitoring, and incident response. The summary below is kept in sync with every release.

Last updated: 04 February 2025

1. Data protection

Authentication tokens, refresh keys, analytics identifiers, and webhook secrets are encrypted using AES-256-GCM (enc:v1) with rotation handled through AUTH_SECRET bundles stored outside the codebase.

Files uploaded to Participant Hub are scanned and stored with presigned URLs that expire automatically; sensitive exports (PDF, CSV, ICS) are regenerated per session.

All network traffic terminates on HTTPS with automatic HSTS and CSP headers.
Secrets are loaded through SECRET_BUNDLE_PATH and never exposed to NEXT_PUBLIC variables.

2. Access controls

Role-based permissions govern every admin or organiser action (trip management, payouts, notifications). Support access requires enforced 2FA and step-up tokens for destructive tasks.

Public itineraries mirror only the data flagged as shareable; owner emails, notes, and supplier files never leave the secure workspace.

Session cookies are HTTPOnly, SameSite=strict, and refreshed with rotating HMAC signatures.
Admins attempting high-risk actions must pass a CSRF-safe step-up flow tied to their device IP and user agent.

3. Monitoring & incident response

Every API route emits structured security events to the alerts pipeline (email + local log file). Rate-limit anomalies trigger automatic throttling and Slack/email notifications when configured.

Passenger restarts are captured in start.log / stderr.log so infra teams can audit deployments and rollbacks.

Webhook failures, OTP abuse, and admin access attempts are logged with hashed identifiers.
Cron jobs that regenerate spotlight data or auto-trips must present automation secrets to prevent unauthorised triggers.

4. Compliance & data residency

Primary data lives on GCC-hosted MySQL clusters with read replicas for analytics. Backups remain encrypted at rest and rotate every 30 days.

If you need a signed DPA or region-specific residency commitment, email compliance@7sss7.com and reference your workspace ID.

5. Security contact

Responsible disclosure is encouraged. Send reports to security@7sss7.com with reproduction steps. We aim to acknowledge critical findings within one business day.

1. Data protection

Authentication tokens, refresh keys, analytics identifiers, and webhook secrets are encrypted using AES-256-GCM (enc:v1) with rotation handled through AUTH_SECRET bundles stored outside the codebase.

Files uploaded to Participant Hub are scanned and stored with presigned URLs that expire automatically; sensitive exports (PDF, CSV, ICS) are regenerated per session.

All network traffic terminates on HTTPS with automatic HSTS and CSP headers.

Secrets are loaded through SECRET_BUNDLE_PATH and never exposed to NEXT_PUBLIC variables.

2. Access controls

Role-based permissions govern every admin or organiser action (trip management, payouts, notifications). Support access requires enforced 2FA and step-up tokens for destructive tasks.

Public itineraries mirror only the data flagged as shareable; owner emails, notes, and supplier files never leave the secure workspace.

Session cookies are HTTPOnly, SameSite=strict, and refreshed with rotating HMAC signatures.

Admins attempting high-risk actions must pass a CSRF-safe step-up flow tied to their device IP and user agent.

3. Monitoring & incident response

Every API route emits structured security events to the alerts pipeline (email + local log file). Rate-limit anomalies trigger automatic throttling and Slack/email notifications when configured.

Passenger restarts are captured in start.log / stderr.log so infra teams can audit deployments and rollbacks.

Webhook failures, OTP abuse, and admin access attempts are logged with hashed identifiers.

Cron jobs that regenerate spotlight data or auto-trips must present automation secrets to prevent unauthorised triggers.