Government Won't Deploy Software Without Proof It's Secure
Here's ours. Every standard listed below is implemented and verifiable — not a marketing checkbox.
What We Implement
Minimum 12-character passwords. Bcrypt hashing (cost factor 12). No mandatory complexity rules (NIST 800-63B §5.1.1 explicitly discourages them). No periodic forced rotation. Account lockout after 5 failed attempts — 15-minute lockout, not permanent.
TOTP-based MFA (Time-based One-Time Passwords, RFC 6238). Compatible with Google Authenticator, Authy, and any TOTP-compliant app. Enforced for all custodian and supervisor accounts. Officers may optionally enable MFA. Short-lived MFA tokens — partial auth state cannot be reused across sessions.
- A01 Broken Access Control — Role-based access control enforced at every endpoint. Middleware injection prevents cross-tenant access.
- A02 Cryptographic Failures — AES-256 at rest, TLS in transit, bcrypt for passwords. No custom cryptography.
- A03 Injection — SQLAlchemy ORM with parameterized queries. No raw SQL string concatenation.
- A04 Insecure Design — Threat-modeled architecture. Data wall designed before first line of code.
- A05 Security Misconfiguration — HSTS, CSP, X-Frame-Options, X-Content-Type-Options headers enforced. Permissions-Policy configured.
- A06 Vulnerable Components — Dependency monitoring via package-lock.json and pyproject.toml. Regular dependency updates.
- A07 Auth & Session Failures — JWT access tokens (memory-only, 15-minute expiry). HttpOnly refresh cookies. Account lockout after 5 failures.
- A08 Software & Data Integrity — Build pipeline integrity. No unsigned dependencies.
- A09 Security Logging Failures — Immutable audit logs: every auth event, data access, and admin action timestamped and attributed.
- A10 SSRF — No server-side URL fetch in user-controlled paths. All external integrations vetted at design time.
Every action — login, logout, data access, record creation, modification, deletion — is logged with a timestamp, user identity, IP address, and action detail. Logs cannot be modified or deleted by any application user, including administrators. Export to PDF with one click for audit submissions.
AES-256 encryption for sensitive fields at rest (PII, sensitive case data). TLS 1.2+ enforced for all connections. HSTS with 1-year max-age and includeSubDomains. No unencrypted fallback.
UnitGear and OutreachLink do not store Criminal Justice Information. RMS incident numbers, when referenced in OutreachLink, are stored as plain text reference strings — we never query, ingest from, or write to LE records management systems. This architectural decision keeps both products outside CJIS compliance scope.
Keyboard navigation for all interactive elements. ARIA roles and labels on all modals, forms, and interactive components. Sufficient color contrast ratios. Screen reader compatible. Focus management on modal open/close.
Security architecture documentation is available to qualified procurement teams on request. Contact matthew@mshorestech.com to request.
Infrastructure & SLA
Monitored continuously. Incidents communicated directly via email or phone — no status page hunting. Uptime targets defined per contract.
Automated nightly database backups with 14-day retention. Point-in-time restore available on request.
In the event of a data loss incident, full restore within 24 hours from last clean backup. RTO documented in contract.
Your Data Is Yours
- All data belongs to the agency. M. Shores Tech has no claim on it.
- Your data is never used for marketing, training, or any purpose outside your contract.
- Upon contract end, full data export provided in standard formats (CSV, JSON, PDF) within 30 days.
- After export confirmation, all data is deleted from our systems within 60 days.
- We do not sell, share, or aggregate your data with any third party.
In the unlikely event M. Shores Tech ceases operations, you receive a complete data export in standard formats (JSON/CSV) at no cost, with 90 days notice. Your data is never held hostage. This commitment is written into every contract.
Built for the Government Buying Process
Technical specifications, security questionnaires, and compliance documentation provided for formal RFP processes.
1-, 2-, and 3-year contract terms available. Multi-year agreements include locked pricing and priority support.
Standard 30-day legal and IT review period built into every contract. No pressure to close before your team is comfortable.
Business Associate Agreement available for agencies with HIPAA obligations. Signed prior to any data exchange.
Have a Specific Compliance Question?
Every department's IT review is different. If you have a specific requirement, checklist, or question, ask directly. You'll get an honest answer from the developer, not a legal disclaimer.