Defense-in-Depth Layers
Network & CDN
Cloudflare WAF sits in front of all traffic. DDoS mitigation, bot management, and IP reputation filtering are applied before requests reach Vercel’s edge.
Transport Security
All connections are TLS 1.2+. HSTS with a two-year max-age and preload is enforced at the HTTP header layer via
next.config.ts.Authentication
Auth.js v5 (NextAuth) with bcrypt-hashed passwords and JWT sessions. Credentials are never logged or transmitted in plaintext.
Authorisation & Tenancy
Role-based access control (RBAC) with four roles. Every data query is scoped by
brokerId / schemeId — cross-tenant access is structurally impossible.Data Protection
PPS numbers are AES-256 encrypted at the application layer before storage. The encryption key is held only in Vercel environment variables.
Audit Trail
An append-only
audit_logs table records every material action. No UPDATE or DELETE is permitted on audit rows.Observability
Sentry (EU region) captures errors and performance traces. Structured logs via Pino feed into alerting pipelines.
AI Guardrails
All AI-generated changes require explicit broker approval via the Change Proposal workflow before any data mutation occurs.
Hosting & Data Residency
| Component | Provider | Region |
|---|---|---|
| Application | Vercel | EU (dub1, cdg1, arn1) |
| Database | Neon PostgreSQL | UK (aws-eu-west-2) |
| AI Inference | Anthropic Claude | EU (ANTHROPIC_INFERENCE_GEO=EU) |
| Error Monitoring | Sentry | EU (de.sentry.io) |
| CDN / WAF | Cloudflare | Global edge |
| Resend | — |
Regulatory Context
PensionsPortal.ie operates as a technology platform for pension trustees subject to:- IORP II Directive (2016/2341/EU) — transposed into Irish law via the IORP II Regulations 2021
- GDPR — data minimisation, encryption, right of erasure, breach notification within 72 hours
- Pensions Authority Guidance — fit-and-proper requirements, governance documentation
This document reflects the technical security posture of the platform. Trustees retain ultimate governance responsibility and must ensure their own operational security practices (access controls, device management, incident response) complement these platform controls.
Security Pages
| Topic | Page |
|---|---|
| Authentication | NextAuth Configuration |
| MFA & Privileged Access | MFA and Privileged Access |
| Authorisation | RBAC Model |
| Sessions & Cookies | Session and Cookie Policy |
| Secure Development | SDLC |
| Vulnerability Management | Vulnerability Management |
| Secrets | Secrets Management |
| Encryption | Encryption at Rest and in Transit |
| HTTP Headers | Security Headers & CSP |
| Rate Limiting | Rate Limiting and Abuse |
| Audit Logging | Audit Logging |
| Monitoring | Monitoring and Alerting |
| Sentry | Sentry Observability |
| WAF | Cloudflare WAF and Zero Trust |