Enterprise-grade security built in
Award programs handle sensitive data — nominations, scores, personal details, and payment information. AwardPro is built from the ground up with security at every layer.
Encryption in Transit & at Rest
All data is transmitted over TLS 1.3. Data stored on disk is encrypted with AES-256. Encryption keys are rotated on a regular schedule and stored separately from the data they protect.
Role-Based Access Control (RBAC)
Seven distinct roles — Super Admin, Org Admin, Award Manager, Judge, Applicant, Sponsor, and Member — each with precisely scoped permissions. No user can access data outside their role or organisation boundary.
Per-Organisation Data Isolation
Multi-tenant architecture enforces a TenantScope on every database query. One organisation's nominations, judges, and reports are completely invisible to all other organisations, even at the database level.
Two-Factor Authentication (2FA)
All users can enable TOTP-based 2FA (Google Authenticator, Authy). Recovery codes are provided at setup. Admins can require 2FA across their organisation.
API Security
API tokens are scope-limited (read:awards, write:nominations, etc.). Webhook payloads are HMAC-signed with a per-organisation secret. Tokens are shown only once at creation and stored as a secure hash.
Audit Logging
Every administrative action is written to an immutable audit log with timestamp, actor, and action. Super Admins can filter, search, and export the log. Logs are retained for 7 years for compliance.
Responsible Disclosure
If you discover a security vulnerability in AwardPro, please report it privately to security@awardhub.io. We will acknowledge your report within 48 hours and work with you on a responsible disclosure timeline.
Questions about our security posture?
Our team is happy to share security documentation, answer technical questions, or schedule a review call.
Contact our security team