← Back
BrokerPath
BrokerPath
Ontario's brokerage operating system

Trust & Security

BrokerPath holds the most sensitive parts of your business — client deposits, commission ledgers, FINTRAC records. We treat that responsibility seriously. This page is a plain-language summary of the controls we have in place.

Architecture at a glance

Tenant isolation

Every brokerage is a separate tenant. Postgres row-level security (RLS) policies enforce that no query can ever read or write rows belonging to another brokerage — even if the application code has a bug.

Double-entry ledger

All money movements use a BigInt cent-accurate double-entry ledger. Every journal entry is checked at the database level to sum to zero. Floating-point errors are mathematically impossible.

Tamper-evident audit log

Every privileged action is recorded in an append-only, hash-chained audit log. UPDATE and DELETE on audit rows are blocked at the database level. Any broken hash is detectable.

Trust account integrity

Database triggers enforce that trust deposits can only be held in a real-estate-trust bank account. The system continuously verifies that RET = −TRL: trust assets exactly equal trust liabilities, to the cent.

Authentication & access

  • Argon2id password hashing (the modern standard, winner of the Password Hashing Competition).
  • Two-factor authentication (TOTP) required for Broker-of-Record and Admin roles.
  • Per-account lockout after 5 failed login attempts within 15 minutes.
  • Per-IP rate limiting on the credential endpoint (10 attempts / 15 min).
  • 8-hour JWT sessions over HTTPS-only cookies; HttpOnly flags prevent JavaScript access.
  • Role-based access control on every privileged action, with Postgres RLS as a second line of defense.
  • The 2FA bypass that exists for development is hard-blocked in production code paths — it is impossible to enable on a live deployment.

Data protection

  • Encryption in transit: TLS 1.3 enforced everywhere. HSTS preload (max-age=31536000; includeSubDomains; preload).
  • Encryption at rest: Postgres database hosted on Neon with encryption at rest. Document storage on Vercel Blob (private access only).
  • SSL-required database connections: sslmode=require enforced on all environments.
  • No public file URLs: all uploaded documents are streamed through an authenticated proxy that re-checks tenant membership on every download.
  • Secrets isolation: production secrets are stored in Vercel environment variables and never committed to source control.

Application hardening

  • Strict CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff on every response.
  • CSRF protection on every mutation via Next.js server actions (same-origin enforcement built in).
  • SQL injection: not possible — all database access uses parameterized Prisma queries.
  • XSS: prevented by default — React escapes all variable interpolations and we never use dangerouslySetInnerHTML.
  • File-upload validation: MIME-type whitelist + magic-byte signature verification + 20 MB cap + filename sanitization.
  • Input validation on every server action: enums checked against allow-lists, amounts bounded, dates parsed safely.
  • No PII in logs: production logs never contain emails or passwords.

Compliance & record-keeping

BrokerPath is built to make your RECO and FINTRAC obligations easier, not harder. We ship out-of-the-box:

  • FINTRAC-compliant Receipt of Funds records on every deposit.
  • Trust reconciliation reports with bank-statement matching.
  • Commission Trust Agreements with electronic signatures and a full e-consent audit trail.
  • Payout statements with itemized splits, royalties, and HST flow-through.
  • Immutable audit log — every deal change, payout, deposit, and admin action is permanently recorded.
  • T4A slips and HST returns generated from ledger data — not hand-keyed.

Operational practices

  • Production environment validation: the app refuses to honor weak or missing security secrets and logs loudly when something is misconfigured.
  • Continuous integration tests cover every money-flow scenario — co-op payouts, capped agent plans, multi-deposits, deal collapses, dual-agent splits.
  • Trial-balance invariant checks are run against production data: every tenant's ledger sums to zero, always.
  • Dependency monitoring via GitHub Dependabot — security patches are applied promptly.

Reporting a vulnerability

If you believe you've found a security issue, please email security@brokerpath.ca. We respond to all reports within one business day and treat all disclosures in good faith.

Last reviewed: April 2026. This page describes the controls implemented in the current production deployment.