Built with public-sector security controls from day one.
Command Bridge is built for agencies that handle sensitive operational, law enforcement, health, and emergency management data. Security is enforced at every layer — not bolted on as an afterthought.
Need this reviewed by IT or procurement?
We provide a security assurance packet under NDA — the kind of documentation your IT, legal, and emergency management teams can actually review.
Packet includes
- Security architecture overview
- Data isolation model
- Access control summary
- Audit logging summary
- Encryption and backup summary
- Subprocessor list
- Incident response overview
- Vulnerability management process
- CJIS alignment matrix
- Recent security review summary (when available)
What this means for your agency
Security explained in plain language — no jargon, just what matters for your operations.
Your data is completely separate
Your agency's data is walled off from every other agency at the database level — not just by the software. No other agency can ever access your information.
Every action is permanently logged
Who did what, when, and what changed — recorded across 247+ resource types. Audit logs can't be edited or deleted by anyone, including administrators.
You control who sees what
50+ permission settings let you control exactly who can view, edit, approve, or delete across every module. Build custom roles for your agency's structure.
Works with your existing login
Enterprise single sign-on integrates with your agency's identity provider. No separate passwords to manage.
Sessions lock automatically
Idle timeout and session limits are configurable per agency. Failed login attempts trigger automatic lockout.
CJIS-aligned architecture
Built to support the security requirements of law enforcement and public safety agencies, including MFA, audit logging, access control, encryption, and tenant isolation.
Data classification built in
Every record can be classified: public, internal, sensitive, law enforcement, or health. Access controls enforce classification levels automatically.
Export audit logs anytime
Full audit trail exportable for compliance reviews, legal requests, or internal audits — with complete before-and-after records of every change.
CJIS Alignment Summary
Command Bridge is not claiming agency-level CJIS certification on behalf of customers. We provide controls designed to support CJIS-aligned deployments, including:
- Multi-factor authentication and SSO
- Immutable audit logging
- Role-based access control
- Encryption in transit and at rest
- Incident response procedures
- Database-level tenant isolation
Final CJIS compliance depends on agency configuration, policies, hosting environment, and applicable state CJIS authority requirements. A detailed CJIS alignment matrix is available in the security packet.
Common security questions
Quick answers for the questions your reviewers will ask.
Where is data hosted?
Command Bridge runs on Linode (Akamai) cloud infrastructure with data centers in the United States.
Is data encrypted at rest and in transit?
Yes. All data is encrypted in transit and at the database level.
Who are your subprocessors?
Linode/Akamai (hosting), Auth0 (authentication), and ArcGIS/Esri (mapping). All three maintain SOC 2 compliance.
Do you use customer data to train AI models?
No. Agency data is never used to train AI models.
How do agencies delete or export their data?
Agencies can export a full JSON archive of their data and files at any time. Upon contract termination, all agency data is deleted within 90 days.
Do you have a vulnerability disclosure contact?
Yes. Security concerns can be reported to our team upon request. Contact us for details.
Have you done any third-party security testing?
Our infrastructure partners — Linode, Auth0, and ArcGIS — are all SOC 2 certified. We conduct internal security reviews and are planning independent penetration testing.
What is your SOC 2 / CJIS / FedRAMP roadmap?
We maintain CJIS-aligned controls today and are targeting SOC 2 certification by late 2026 or early 2027. FedRAMP is on our long-term roadmap.
Your IT team wants the technical details?
Everything below is for your technical reviewers — the full architecture, protocols, and controls.
- Row-Level Security (RLS) on all database tables
- Database-enforced tenant separation — not just application logic
- Tenant context propagated via AsyncLocalStorage
- Users can belong to multiple tenants with secure context switching
- No cross-tenant data leakage by design
- 50+ granular permissions across 12+ modules
- Pre-built role templates (Admin, Manager, Operator) plus custom roles
- Permission actions: view, create, edit, delete, approve, module-specific
- Role cloning for rapid setup
- Permission caching with LRU eviction for performance
- Per-role home dashboard assignment
- Auth0 integration with RS256 JWT verification
- Enterprise SSO support
- Configurable session and idle timeouts per agency
- Failed login lockout with Redis-backed tracking
- IP allowlist enforcement
- CSRF protection via Origin/Referer validation
- CORS with explicit origins — no wildcards with credentials
- Rate limiting across 5 tiers (API: 300/min, Strict: 10/min, Bulk: 20/min, AI: 30/min, Report: 5/min)
- File type validation and SVG sanitization
- CAPTCHA protection (Turnstile) on public portal
- API key management with platform and tenant-level scoping
- SHA256 key hashing — plaintext never stored
- Granular permission arrays per key
- Configurable expiration dates
- Usage tracking (count and timestamp)
- Dedicated usage logging table
- Revocation capability
Ready for a security conversation?
Request our security packet for your IT and procurement team, or schedule a live briefing to walk through the architecture and answer your compliance questions.