Compliance

Security review and penetration test plan

The final security bar should be validated independently, not assumed from code review alone.

Scope

  • Auth and session handling
  • Organization switching and tenant isolation
  • Billing and subscription flows
  • DSAR and compliance request flows
  • Support ticket access controls
  • Notifications
  • Process discovery and mining artifacts
  • Public help and compliance pages

Tasks

  • Run an external penetration test.
  • Map findings to ASVS controls.
  • Retest after remediation.
  • Record unresolved findings and compensating controls.