Security Overview
PAQGEN protects brand authenticity data with workspace isolation, role-based access, rate limits, audit logging, and operational controls.
Workspace Isolation
Each brand workspace uses a separate PostgreSQL schema. API access is scoped by authenticated user role and company. Non-superadmin users cannot access another company workspace.
Access Controls
- Viewer users can read products, QR batches, scans, reports, and activity.
- Operators can create product/packaging/QR data and update unit status.
- Company admins can manage team access and workspace data.
- Superadmins are reserved for PAQGEN platform administration and support.
Audit and Evidence
Workspace actions are recorded in audit logs. Company admins can export audit CSV records for review, support, and security checks.
Platform Controls
PAQGEN uses HTTPS, CORS allowlists, login rate limits, account lockout, upload validation, QR verification rate limits, database backups, and health monitoring.
Important Limitation
As with most SaaS platforms, authorised PAQGEN superadmins can technically access customer data for support, security, and operations. This access is restricted by policy and should be audited.