← Back to CaratOS

Security

How your firm's data is handled and protected.

Authentication & access

Sign-in is token-based (JWT), so a session is never a raw password sitting in a cookie. Staff accounts get scoped permissions set by the firm's admin — for example, a counter-sales role can use Sales Mode and inventory without seeing cash flow totals or firm-wide settings.

Data handling

Multi-tenant isolation

Each firm's data is scoped to its own account — inventory, customers, and financial records for one firm are not visible to another, even though CaratOS runs as shared infrastructure across firms.

Reporting a concern

If you believe you've found a security issue, email chirant@izaragems.com directly rather than filing it publicly. We'll acknowledge and follow up.

This page describes current platform practices and will be extended as CaratOS adds features like data export, audit logs, and formal compliance certifications.