B2BEA.org Rebuild security-privacy-spec
security-privacy-spec artifact · for B2BEA.org Rebuild · status draft
security-privacy-spec artifact · for B2BEA.org Rebuild · status draft
No explicit evidence field yet. Require tests, screenshots, linked PRs, or reviewed outputs before marking complete.
- source: atlas-codex
- status: draft
- project: B2BEA.org Rebuild
- version: 1
- filename: docs/specs/2026-05-08-b2bea-org-security-privacy-spec.md
- project id: a820dd0c-6cef-4133-bfbd-d802fd806e44
- generated at: 2026-05-08
- artifact type: security-privacy-spec
Full legacy body rendered for humans
B2BEA.org V1 Security Privacy Spec
Source of record: RedKey local project artifact draft.
- Project:
B2BEA.org Rebuild - Project ID:
a820dd0c-6cef-4133-bfbd-d802fd806e44 - Artifact:
security-privacy-spec - Version:
1 - Status:
draft - Generated:
2026-05-08
Purpose
Define the minimum security, privacy, ownership, export, and audit requirements for B2BEA.org V1 implementation.
Core Rules
- Client state never grants authorization.
- Every protected read and mutation must validate session, role/entitlement, and resource ownership server-side.
- Vendor, company, and member data must be scoped to the owning account.
- Public projection changes require review/audit where external users can affect public content.
- Exports require explicit authorization, scope limits, expiration, and audit events.
- Private practitioner company workspace data must not be exposed publicly in V1.
Protected Data Classes
| class | examples | rule |
| --- | --- | --- |
| public_content | published articles, public vendor profiles, public events | Public if published and not archived. |
| account_identity | auth user, linked identities, email | Own account or admin only. |
| member_private | profile drafts, progress, saved items, account settings | Own member or authorized admin only. |
| vendor_private | vendor workspace edits, leads, analytics, team | Own vendor account or authorized admin only. |
| company_private | roster, seats, assignments, jobs drafts, exports | Own company account or authorized admin only. |
| admin_operational | review queues, internal notes, platform analytics | Authorized admin only. |
| payment_billing | Stripe state, invoices, renewal notes | Authorized owner/admin; secrets never exposed. |
| survey_response | response data, respondent identity, exports | Scoped by survey policy, owner, assignment, and export permission. |
Audit Events
Audit required for:
- admin publish/archive/rollback
- vendor submitted public-profile changes
- B2BEA approval/rejection of external submissions
- entitlement, seat, role, and membership changes
- exports
- company roster and seat changes
- billing-related admin actions
- deletion/anonymization requests
type AuditEvent = {
actorId: string;
actorRole: string;
action: string;
resourceType: string;
resourceId: string;
accountScope?: string;
decision?: AccessDecision;
metadata?: Record<string, unknown>;
createdAt: string;
};
Export Policy
- Vendor exports: own leads/analytics only.
- Company exports: own roster/progress/assignment/reporting only.
- Admin exports: allowed for authorized admins, with audit events.
- No raw platform-wide cross-account data in vendor/company exports.
- Export URLs must expire.
- Respondent-level survey data in vendor/company reporting requires explicit policy approval per survey.
Rate And Abuse Controls
Minimum controls for launch:
- contact/application/form submission rate limit
- login/signup abuse protection through auth provider settings
- resource download throttling for anonymous users
- admin/vendor/company export throttling
- audit suspicious repeated denied access attempts
Acceptance Criteria
- Every protected route/action maps to a data class and guard.
- Ownership checks are server-side and testable.
- Export and public projection actions create audit events.
- Private company workspace cannot leak through route, sitemap, search index, or public profile behavior.
Machine-readable source fields
atlas-codex
draft
B2BEA.org Rebuild
1
docs/specs/2026-05-08-b2bea-org-security-privacy-spec.md
a820dd0c-6cef-4133-bfbd-d802fd806e44
2026-05-08
security-privacy-spec