Security at Dyno View

This page documents the security controls currently implemented in Dyno View Cloud and related services.

Last reviewed: February 10, 2026

Scope

The controls below are based on the current implementation in DynoView Cloud web services.

Identity & Access Controls

  • User authentication is handled via social identity providers.
  • API routes that return or modify protected data require an active session and return 401 when unauthenticated.
  • Desktop device authorization is enabled and restricted to registered client identifiers.
  • Session management supports listing active sessions and revoking session tokens from the web application.

Tenant Isolation & Authorisation

  • Organisation membership is validated before organization-scoped API access.
  • Role-based controls are enforced for organisation administration actions using owner, admin, and member roles.
  • Sync read/write operations are scoped by organisation ID and require membership in that organisation.
  • Invitation acceptance requires a signed-in user whose email matches the invitation email, and checks invitation status and expiry.

Application Security Controls

  • Request validation is applied on key API endpoints for payload and query parameters.
  • Cross-origin requests are restricted to an allowlist of known app origins and local development origins.
  • Unhandled server errors return a generic response and are logged server-side.
  • Sync updates use version checks to detect and report write conflicts.

Data & Operational Practices

  • Cloud data is stored with encryption at rest and referential integrity enforced at the database level.
  • Client-to-cloud traffic for production domains is served over HTTPS/TLS.
  • Session records store metadata including expiry, IP address, and user agent where available.

Account Deletion & Data Removal

  • Users can initiate account deletion from the dashboard.
  • When deletion is completed, the user account and associated auth/session records are removed.
  • User membership records are removed, which revokes access to organisation-scoped data.
  • Organisation-owned shared workspace data is retained for the organisation unless that organisation data is separately deleted.

Contact

For security questions or audit requests, contact support@dyno-view.com.