How EdgeRent Lite handles security, privacy, and operational controls
This page describes the controls that are implemented in the product today and the operational topics we discuss with clients during deployment. We avoid broad security claims and focus on what is actually in place.
Controlled admin access
Admin access is protected by authenticated sessions and role-based permissions for ROOT, OWNER, and STAFF users.
Validated file uploads
Driver-license uploads are limited by file type, file size, and basic file-signature validation before storage.
Retention controls
Uploaded driver-license files are scheduled for deletion 30 days after the rental end date.
Operational audit trail
Administrative actions can be written to audit logs so booking and management changes can be reviewed later.
Controls implemented in the current product
Password handling
Admin passwords are stored as bcrypt hashes. Plain-text passwords are not stored in the application database.
Authenticated sessions
Admin sessions are issued as signed tokens with a 24-hour expiration. Session cookies are httpOnly, use sameSite=lax, and are marked secure in production.
Upload validation
License uploads accept JPG, PNG, and PDF only, enforce an 8 MB size limit, and validate file signatures before the file is accepted.
Private file storage
Sensitive uploaded files are stored in private blob storage and served through an application proxy instead of being exposed as public assets.
Driver-license retention
Driver-license files are assigned a delete-after date and a protected cleanup job removes them after the retention window expires.
Audit and evidence
The platform stores operational timestamps such as terms acceptance, pickup and return events, and can record admin actions in audit logs.
Topics handled as part of deployment and business operations
Backups
Backup schedules and retention are deployment-specific. For each client environment, backup expectations should be agreed and documented at the infrastructure level.
Recovery and restoration
Recovery procedures, restore testing, and service-level expectations should be defined per deployment so the client knows the actual restore path for their environment.