Security
:::info Source
Sourced from services/notification-service/SECURITY_MODEL.md in the documentation repo.
:::
1. Authentication
JWT internal. S2S mTLS. Incoming webhooks from providers (Twilio SMS delivery, SES bounces) HMAC-signed.
2. Authorization
notifications:read:self— learners.notifications:send:internal— service-to-service.notifications:template:write— admin.notifications:preferences:write— self.
3. Multi-Tenant Isolation
RLS. Templates tenant-scoped; no cross-tenant template reuse.
4. Data Handling
- Email bodies may contain tenant data; stored encrypted at rest.
- PII minimized in logs; full content in audit tier only.
5. Threat Model
| Threat | Mitigation |
|---|---|
| Phishing via compromised templates | Template review for admin-created; AI moderation on tenant templates |
| Email spoofing | DKIM + SPF + DMARC enforced on outbound domain |
| Webhook spoofing (providers) | HMAC signature + timestamp |
| Rate-limit bypass | Per-user + per-tenant rate limits |
| PII leak via delivery receipt | Redaction; audit retention |
| SMS abuse (toll fraud) | Country-block list; per-tenant cap; monitoring |
| Push notification hijack | Device tokens rotated; expired tokens purged |
6. Suppression Lists
- Per-tenant suppression list (bounces, unsubscribes, abuse reports).
- Honored before send.
- Synced across providers.
7. Audit
- Every send logged with template, recipient (hashed), channel, outcome.
- Compliance exports for specific recipients (GDPR subject request).
8. GDPR
- Erasure: remove recipient from all future sends; anonymize historical delivery records.
- Right to be forgotten honored across providers.
9. Compliance
- CAN-SPAM (email unsubscribe required).
- GDPR: explicit consent for marketing; learner consent for optional notifications.
- CASL (Canada), ASPI, etc.
- HIPAA for healthcare: encrypted channels only.