Security measures

Security measures in the FoxPlan application

Note: The following summarizes technical and organizational measures for the FoxPlan web application. Implementation in code and configuration is indicated where relevant; hosting, legal, and commercial terms are covered in FoxPlan’s Privacy Policy, Data Processing Agreement, and contracts. Infrastructure choices (TLS at the reverse proxy, volume encryption, the cloud provider’s SOC, etc.) follow deployment and supplier agreements.

Secure development practices and industry references

FoxPlan engineering uses widely accepted secure software development practices. In particular, product design and code reviews are informed by the OWASP Top 10 (the Open Web Application Security Project’s catalog of the most critical web application security risks). The measures described in the sections below map to those risk areas—for example access control and least privilege, strong authentication, transport and data-at-rest protection, secure configuration, and security logging. This is a methodological alignment with community best practice; it is not a claim of third-party “OWASP certification” of the product. For large enterprise assessments, a more detailed control matrix can be discussed; the OWASP ASVS (Application Security Verification Standard) is a common reference for such exercises.

• Static analysis: The codebase is integrated with SonarQube (Java and TypeScript/JavaScript scopes as configured), supporting detection of maintainability issues and many security-relevant patterns; analysis can be run as part of the Maven workflow documented for the project.
• Automated testing: Regressions are reduced through automated test suites (e.g. JUnit for the backend, Jest for the frontend) executed in the delivery pipeline.
• Dependency management: Libraries are managed through Maven and npm; dependency updates are part of ongoing release hygiene to address known vulnerabilities in third-party components.
• Security-focused frameworks: The stack relies on Spring Security and established libraries for authentication and transport security, limiting bespoke cryptographic and access-control code.

Solution model and deployment

• FoxPlan is delivered as SaaS. Integration with subscriber systems is typically via HTTPS in the browser, plus enterprise SSO (OAuth2/OIDC, SAML) where configured.
• Deployment options (public cloud, private cloud, hybrid, on-premise) depend on project scope; a public-cloud SaaS deployment is the usual default.
• Non-production vs production: The application supports multiple Spring profiles and isolated configurations; how strictly environments are separated for a given deployment is defined in the deployment architecture.

Authentication and sessions

• Password storage: Passwords are hashed using BCrypt (Spring Security).
• API authentication: Stateless JWT tokens, signed with HS512; signing keys are supplied via configuration (base64 secret recommended).
• Enterprise SSO: OAuth2 / OpenID Connect (including Microsoft Entra ID–compatible flows) and SAML 2.0, with dynamically loaded client and identity-provider registration.
• Strong authentication (MFA): TOTP (authenticator apps) and email one-time codes, configurable per enterprise—available for end users and applicable to administrative access when enabled by policy.
• Privileged and administrative accounts: Functional and technical administration is driven by roles inside the tenant; each subscribing organization designates who holds administrator privileges.
• Optional token cookie: Configurable cookie attributes (Secure, SameSite) when token-in-cookie mode is enabled.
• HTTP session cookies: Servlet session cookies use the HttpOnly flag (application.yml).

Access control and who can access data

• API routes: Most /api/** endpoints require authentication; sign-in, registration, health checks, selected public endpoints, and SSO discovery paths are explicitly allow-listed.
• Administrative endpoints: Spring Boot Actuator routes under /management/** require an administrative role unless individually opened (e.g. health / info / metrics per configuration).
• Fine-grained authorization: Method-level security (@PreAuthorize) protects sensitive REST resources alongside role-based workspace administration.
• Tenant data: Day-to-day access is by end users according to profiles and permissions defined by that organization’s administrators.
• FoxPlan operational access: Access by FoxPlan staff for support or maintenance is governed by contractual and procedural controls described in official documentation.
• Location of FoxPlan personnel with such access is primarily France, unless otherwise agreed for a specific engagement.

Browser and web application protections

• CSRF: Cookie-backed CSRF tokens with standard header/cookie names; exclusions apply where required for SPA + JWT flows.
• Security headers: Content Security Policy (CSP), Referrer-Policy, Permissions-Policy, and same-origin framing controls.
• CORS: Cross-origin handling via a dedicated filter in the security chain.

Data protection (transit and at rest)

• Encryption in transit: Traffic should use HTTPS (TLS) end-to-end. The application includes a TLS profile for the embedded server (cipher suites, TLS 1.2); production often terminates TLS on a load balancer or reverse proxy.
• Encryption at rest — application layer: Sensitive SSO configuration values (client secrets, SAML certificate/material) can be stored using AES-GCM with versioned ciphertext.
• Encryption at rest — infrastructure: Volume or disk encryption (e.g. provider-managed encryption or LUKS on dedicated hosts) is part of the hosting stack. FoxPlan’s public SaaS commonly relies on Scaleway infrastructure in France; details appear in FoxPlan’s Privacy Policy and the provider’s documentation.
• Subscriber-supplied keys: Using keys or certificates supplied by the subscribing organization for volume encryption is generally tied to dedicated or non–public-cloud architectures and must be agreed in the project contract—not the standard shared public SaaS model.
• Access limitation and lifecycle: The product supports role-based access, configurable audit and API log retention, and user/account lifecycle operations; statutory retention and privacy rules are set out in the Privacy Policy.

Rate limiting

• Configurable sliding-window rate limiting on selected public SSO discovery endpoints reduces automated abuse.

Logging, audit, supervision, and incidents

• Audit events: Retention is configurable (default example in configuration: 30 days) with scheduled deletion of older records.
• API request logging: Optional per-organization API request records in the database with bounded retention.
• Operations: Spring Boot Actuator and Prometheus-compatible metrics under configuration-controlled exposure.
• Infrastructure supervision: The hosting provider operates its own security monitoring (e.g. SOC-class processes); FoxPlan complements this with its incident handling—details are contractual.
• Audit cooperation and log delivery: Cooperation on audits and delivery of extended operational logs may depend on service scope, tenant isolation model, and agreement—discuss requirements with FoxPlan.

Data portability and reversibility

• Bulk export: Authorized administrators can export environment data for users, projects, and tasks in CSV, XLSX, XML, or JSON, supporting migration and exit scenarios (exact scope follows product access rules).

Subprocessors, compliance, and certifications

• Subprocessors: Critical infrastructure—and in particular hosting—is described in FoxPlan’s Privacy Policy and contractual subprocessor disclosures. The primary EU hosting partner is commonly Scaleway (France); legal instruments (DPA, SCCs where applicable) follow supplier practice.
• GDPR and privacy: See FoxPlan’s Privacy Policy for data processing principles, retention, subprocessors, and contact details including the DPO.
• RACI / shared responsibility: Allocation of responsibilities between FoxPlan and subscribing organizations is documented in contractual materials (including data-processing and security-related annexes where provided).
• Certifications: ISO 27001, SOC 2, or similar scopes may apply to FoxPlan’s organisation or to the cloud provider; obtain current certificates or reports from FoxPlan or the hosting vendor—source code alone does not prove certification.