ZentraLink

Technical & organisational measures

This page lists the technical and organisational measures (TOMs) that the ZentraLink platform supports out of the box. The list reflects what the codebase actually implements; operators add their own physical and procedural measures on top.

Access control

  • Self-hosted deployment on operator-owned infrastructure; physical access controlled by the host provider's policies (Hetzner / IONOS / on-prem).
  • Argon2id password hashing (memoryCost 19 MiB).
  • Two-factor authentication via TOTP with single-use backup codes.
  • Server-side opaque session tokens, 14-day TTL, secure + httpOnly + sameSite cookies.
  • Role-based access control (OWNER, ADMIN, MANAGER, MEMBER, VIEWER).

Authorisation

  • Tenant-scoped data access on every API route via requireTenantContext().
  • Per-route RBAC checks (RESOURCE_WRITE, USER_MANAGE, TENANT_MANAGE, AUDIT_READ).
  • Approver-role configuration for DNS change requests (TenantPolicy).
  • Tenant isolation verified by automated smoke tests on every phase.

Pseudonymisation / minimisation

  • Audit log stores user id + structured metadata, not raw payloads.
  • Login fingerprints are stored as SHA-256 hashes (not raw IP/UA pairs).
  • Backup codes stored as argon2id hashes only.

Encryption

  • TLS for all transport (operator-issued certificates, e.g. via Let's Encrypt).
  • Provider API credentials, 2FA secrets and tenant SMTP passwords encrypted at rest with AES-256-GCM using PLATFORM_ENCRYPTION_KEY.
  • Database access via Unix socket or localhost TCP recommended for single-host installs.

Integrity

  • Every DNS write produces a DnsChange row + audit event.
  • Pre- and post-execution snapshots captured automatically by the change-request executor.
  • Provider operations report per-op success/failure into the change request.

Availability

  • PostgreSQL standard backup tooling via scripts/backup.sh (pg_dump).
  • systemd-supervised services with automatic restart on failure.
  • Healthcheck endpoint exposed at /api/healthz.
  • Cron worker isolated behind CRON_TOKEN bearer auth, idempotent loops.

Auditability

  • AuditEvent rows for every privileged action (filtered viewer at /dashboard/audit).
  • CronRun rows for every scheduled job invocation.
  • MailMessage rows for every outbound email attempt (QUEUED/SENT/FAILED).
  • DnsChange and DnsChangeRequest rows form the complete DNS history.

Vendor management

  • Provider list and roles documented on the /integrations page.
  • Subprocessor list maintained at /subprocessors with current vendors and their role in the data flow.

Incident response

  • Statuspage rendered from the StatusIncident table at /status.
  • Security disclosure address: security@zentralink.net (operator can override per deployment).
  • Operator is responsible for time-bound notification flows (incident comms).