Security at VasKem

Every organisation's data is completely isolated. Your data is never mixed with another company's records, and no tenant can access another tenant's information — by design at the database query layer.

• Global query filters enforce tenant boundaries on every database query
• Tenant ID validated on every authenticated request
• No shared data tables between organisations

All traffic between your browser and VasKem is encrypted using TLS (HTTPS). Connections on plain HTTP are automatically redirected to HTTPS.

• HTTPS enforced on all pages
• TLS 1.2 and 1.3 supported
• HTTP Strict Transport Security (HSTS) headers set

VasKem uses secure cookie-based authentication with hardened settings. Every user is assigned a role and a granular permission set that controls exactly which modules and actions they can access.

• Secure, HttpOnly, SameSite=Strict session cookies
• PBKDF2-SHA256 password hashing with salting
• Role-based permissions (48 individual permission bits)
• Per-user permission overrides for fine-grained control

Every significant action in VasKem is recorded in an immutable audit log. You can see who did what and when, across all warehouse operations.

• User, action, timestamp and change detail recorded
• Audit log viewer available to authorised administrators
• Covers stock movements, dispatch, receipts, user changes and more

VasKem supports tenant-level data backups. Administrators can download a complete backup of their organisation's data at any time.

• On-demand backup download for each tenant
• Includes all entities: products, orders, customers, stock, logistics, audit log
• Backups are downloadable as JSON for portability

VasKem is hosted on a dedicated server based in South Africa. We do not share infrastructure with unrelated services.

• Dedicated server — no shared hosting
• South Africa-based infrastructure
• Nginx reverse proxy with security headers
• Application runs as a least-privilege system user