Account Security Overview

Last updated: May 22, 2026

SIP Toolbox applies layered controls to protect customer accounts and data. This page summarises the user-facing security features of the Service. For platform and infrastructure controls, see the Data Security Policy.

1. Email verification

New sign-ups must verify their email address before they can sign in. Verification links are single-use and expire after 24 hours.

2. Strong password rules

  • Minimum 12 characters.
  • Must include uppercase, lowercase, a number, and a symbol.
  • Passwords are checked against the Have I Been Pwned breach database; known-compromised passwords are blocked.
  • Passwords are hashed with bcrypt; we never store them in clear text.

3. Multi-factor authentication (MFA)

TOTP-based MFA enrolment is available to customers on Business and Enterprise plans. Enterprise customers can additionally require MFA for all members of their workspace and integrate SSO via SAML. Contact support@siptoolboxs.com to enable it for your workspace.

4. Rate limiting

Authentication and password-reset endpoints are rate-limited at the platform edge to mitigate credential stuffing, brute force, and email-bombing. Repeated failures from the same IP or against the same account trigger temporary back-offs.

5. Secure password reset

  • Reset requests are sent only via signed, single-use links to the account email.
  • Links expire 1 hour after issue.
  • The reset page never reveals whether an email is registered.
  • All active sessions are signed out after a password change.

6. Session timeout

Sessions automatically end after 30 minutes of inactivity. Access and refresh tokens are rotated regularly and bound to a single session. Signing out revokes the refresh token immediately.

7. Role-based access control (RBAC)

Access inside a workspace is granted by role:

  • Admin — full administrative access, including user and billing management.
  • User — standard reviewer access to projects shared with them.
  • Viewer — read-only access to shared projects and reports.

Role checks are enforced at the database layer using Row-Level Security, so a compromised client cannot bypass them.

Reporting a security issue

Email security@siptoolboxs.com with details. We acknowledge reports within two business days.