Access Controls - Security

Imagine each coach has their own separate, locked room—no one can peek into anyone else's space. Our access control system ensures that you can only access your own clients and sessions, and that clients can only see data you've explicitly shared with them.

Role-Based Access Control (RBAC)

JourneyLoop implements strict role-based access control, ensuring each user type has precisely the permissions they need—and nothing more.

Coach Role

Full access to their own clients, sessions, and insights

Can create, edit, and delete their own coaching content

Can manage client portal access and permissions

Cannot access other coaches' data in any way

Client Role (Portal Access)

Read-only access to their own session summaries and insights

Can view action items and goals set by their coach

Can mark action items as complete

Cannot see other clients' data or coach's private notes

Administrator Role

System configuration and infrastructure management

User account management and support

No routine access to coaching session content

All administrative access is logged and auditable

Complete Coach Data Isolation

At the technical level, every operation is automatically scoped to the authenticated coach. This isn't just a UI restriction—it's enforced at the system architecture level.

How It Works

Every data operation automatically filters by the logged-in coach's ID

Security controls verify coach ownership before any data access

No cross-coach data sharing or aggregation—each coach's data stays isolated

Impossible to accidentally access another coach's clients or sessions

Technical Detail: Our system enforces coach ownership at the platform architecture level, making it impossible to bypass isolation through any interface or query.

Session Timeout & Automatic Logoff

Automatic Session Timeout

After a period of inactivity, your session automatically expires and you're logged out. This prevents unauthorized access if you forget to log out or leave your device unattended.

Secure Logout

When you log out (manually or automatically), your session token is invalidated server-side, preventing session replay attacks.

Session Security

Session cookies use industry-standard security flags to prevent unauthorized access and ensure encrypted transmission over HTTPS only.

Admin Access Logging

We maintain comprehensive audit logs of all administrative actions to ensure accountability and enable security incident investigation.

What We Log

All administrative access to management systems, including who accessed what data and when. User authentication events (logins, failed attempts, password changes). System configuration changes and security-relevant actions.

Log Monitoring

Logs are reviewed regularly for suspicious activity or unauthorized access attempts. Automated alerts for security-critical events.

Retention Period

Access logs are retained for 90 days to support security investigations and compliance audits.

Authentication Security

Password Hashing

Passwords stored using PBKDF2 algorithm with 600,000 iterations—industry-standard cryptographic hashing, never stored in plain text

HTTPS Everywhere

All connections forced to HTTPS with additional protections preventing downgrade attacks

CSRF Protection

Cross-Site Request Forgery protection on all forms and state-changing operations

Unique User IDs

Every user has a unique identifier; all access tied to authenticated user identity

Related: HIPAA Considerations

While HIPAA is currently out of scope for JourneyLoop, these access control measures demonstrate our commitment to enterprise-grade security practices.

View HIPAA Considerations

Access Controls & Authentication