17.1 Authentication
- Email verification required at signup
- Strict password policy with real-time strength indicator
- 30-minute session timeout with warning dialog and extension option
- Login mode selection (Auditor vs. Reviewer)
17.2 Data Isolation
- All data is isolated at the organization level using Row-Level Security (RLS)
- Users can only access data belonging to their active organization
- Switching organizations changes the data context completely
17.3 Cookie Consent
A cookie consent banner is displayed to all users. Preferences can be managed.17.4 Legal Pages
The following legal documents are accessible from the landing page footer:- Terms of Service (/terms)
- Privacy Policy (/privacy)
- Security (/security)
- Compliance (/compliance)
- Usage & Billing Policy (/usage-policy)
- Refund Policy (/refund-policy)
17.5 Admin Impersonation
System administrators can impersonate user accounts for support purposes. When active:- A red banner appears at the top of the screen indicating the session is impersonated
- All impersonation sessions are logged in the admin audit log
- The admin can end the impersonation session at any time