Security Settings
Configure security features including two-factor authentication, session management, and audit logging.
ReturnMate provides enterprise-grade security features to protect your account and customer data. This guide covers configuring security settings for your organisation.
Two-Factor Authentication (2FA)
Enabling 2FA for Your Account
- Go to Profile → Security
- Click Enable Two-Factor Authentication
- Scan QR code with authenticator app (Google Authenticator, Authy, 1Password)
- Enter verification code
- Save backup codes securely
Requiring 2FA for All Users
Admins can enforce 2FA organisation-wide:
- Go to Settings → Security
- Enable Require 2FA for all users
- Set grace period (e.g., 7 days to comply)
- Users without 2FA will be prompted on login
We strongly recommend requiring 2FA for all Admin and Owner accounts at minimum.
Backup Codes
When enabling 2FA, save your backup codes:
- 10 single-use codes provided
- Store securely offline
- Use if you lose your authenticator
- Can regenerate codes (invalidates old ones)
Session Management
Active Sessions
View and manage your active sessions:
- Go to Profile → Security → Sessions
- See all devices/browsers logged in
- Click Revoke to end a session
- Click Revoke All to log out everywhere
Session Timeout
Configure automatic logout:
| Setting | Options |
|---|---|
| Idle timeout | 15 min, 30 min, 1 hour, 4 hours |
| Maximum session | 8 hours, 24 hours, 7 days |
| Remember me | Enable/disable |
Access at Settings → Security → Session Settings
Password Requirements
Password Policy
Default password requirements:
- Minimum 12 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character
Custom Password Policy
Enterprise plans can customise:
- Minimum length (8-32 characters)
- Character requirements
- Password expiry (30, 60, 90, 180 days)
- Password history (prevent reuse)
- Account lockout threshold
IP Allowlisting
Restrict access to specific IP addresses:
Setting Up Allowlist
- Go to Settings → Security → IP Allowlist
- Click Add IP Range
- Enter IP address or CIDR range
- Add description (e.g., "Office network")
- Save
Examples
Single IP: 203.0.113.45
IP Range: 203.0.113.0/24
Office: 203.0.113.0/24 (Office - Sydney)
VPN: 198.51.100.0/24 (Corporate VPN)
Incorrect IP allowlist settings can lock everyone out. Always test with a secondary admin account before enabling.
Audit Logging
What's Logged
All significant actions are recorded:
| Category | Events |
|---|---|
| Authentication | Login, logout, failed attempts, 2FA |
| User Management | Create, edit, delete users, role changes |
| RMA Actions | Create, approve, reject, refund |
| Settings Changes | Policy, integration, security changes |
| Data Access | Exports, API access, sensitive data views |
Viewing Audit Logs
- Go to Settings → Security → Audit Log
- Filter by user, action type, date range
- Export for compliance records
Log Retention
| Plan | Retention |
|---|---|
| Starter | 30 days |
| Professional | 90 days |
| Enterprise | 1 year+ (customisable) |
API Security
API Key Management
Secure your API integrations:
- Create purpose-specific keys with minimal permissions
- Rotate keys regularly (recommended: quarterly)
- Revoke unused keys immediately
- Monitor API usage for anomalies
API Key Best Practices
- Use separate keys for each integration
- Never commit keys to source control
- Store keys in environment variables
- Set IP restrictions where possible
- Monitor key usage in dashboard
Single Sign-On (SSO)
Enterprise plans support SSO:
Supported Providers
| Provider | Protocol |
|---|---|
| Google Workspace | OIDC |
| Microsoft Azure AD | SAML 2.0 |
| Okta | SAML 2.0 |
| OneLogin | SAML 2.0 |
| Custom | SAML 2.0 |
SSO Configuration
Contact support to set up SSO with your identity provider.
Data Protection
Encryption
- All data encrypted at rest (AES-256)
- All traffic encrypted in transit (TLS 1.3)
- Sensitive fields encrypted with additional layer
Data Residency
Data is stored in Australia:
- Primary: Sydney (ap-southeast-2)
- Backup: Melbourne
Enterprise customers can request specific data residency requirements.
Data Retention
Configure how long data is kept:
| Data Type | Default | Options |
|---|---|---|
| RMA records | Forever | 1-7 years |
| Audit logs | Per plan | Varies |
| Customer data | Forever | Per request |
Compliance
Certifications
ReturnMate maintains:
- SOC 2 Type II
- GDPR compliance
- Australian Privacy Act compliance
Compliance Reports
Enterprise customers can request:
- SOC 2 report
- Penetration test summary
- Security questionnaire completion
Incident Response
Reporting Security Issues
If you discover a security vulnerability:
- Email security@returnmate.io
- Include detailed description
- Do not publicly disclose
- We'll respond within 24 hours
Security Notifications
You'll be notified of:
- Successful logins from new devices
- Failed login attempts (3+)
- Password changes
- Security setting changes
- Suspicious activity detected
Best Practices
- Enable 2FA for all users
- Use strong, unique passwords
- Review active sessions regularly
- Audit user access quarterly
- Remove departing employees immediately
- Use IP allowlisting if possible
- Monitor audit logs for anomalies
- Keep API keys minimal and rotated