Financial Data Security
Built for Zero Trust
A complete security stack for CPA firms handling sensitive client data - SSNs, tax documents, bank details. Every access requires fresh authentication. Every action is logged immutably.
Auth Factors
3
Grace Period
Zero
Encryption Layers
2x
Audit Log
100%
Security Architecture
Four independent layers, each with its own security guarantee. Compromise one layer and the others still hold.
- ▸SSN encrypted via AES-256-GCM before any network call
- ▸Files encrypted client-side before upload
- ▸ECDH session key negotiation per request
- ▸Plaintext never leaves the browser
- ▸All traffic over TLS 1.3
- ▸HMAC-SHA256 request signing prevents replay attacks
- ▸Unique nonce per request (60s TTL)
- ▸Certificate pinning recommended for mobile
- ▸3-factor: Password + TOTP + Passkey
- ▸Zero grace period - every reveal re-authenticates
- ▸Challenge expires in 2 minutes
- ▸Single-use access tokens (consumed on first use)
- ▸Envelope encryption: DEK per record, wrapped by KEK
- ▸Masked values stored separately (***-**-1234)
- ▸Immutable audit log - no delete mutations exist
- ▸IP allowlist + device trust required for staff
What This Demo Shows
Each route demonstrates a different actor in the system. Use the role switcher in the bottom-right to change who you are.
Client Portal
Watch SSNs auto-format, encrypt on blur, and upload a file with in-browser encryption progress. See exactly what gets stored.
CPA View
View the masked client list, trigger a 3-factor challenge to reveal an SSN, and access secured documents with watermarking.
Admin Controls
Security dashboard, device trust management, IP allowlist, and the immutable audit log. Full auth settings panel.
Guided Tour
Step-by-step walkthrough explaining WHY each security measure exists. Plus "What happens if..." failure scenarios.
Live Permission Checks
These blocks use real RequireRole and RequirePermission guards from @chimaeraco/auth-ui. Switch your role to see them change.