Security Policies allows the owner of the CPaaS to customize and enforce security rules across their organization by claiming their email domain. Once verified, it enables centralized control over login requirements, password policies, and organization-level security settings to help protect user accounts and ensure consistent security standards.

Note: Security Policies are only available to organizations that have successfully claimed their email domain. If the domain claim is revoked, all related policies are automatically deactivated.

• Minimum Password Length — Minimum number of characters a user must input to set a password.
• Maximum Password Length — Maximum number of characters a user can input while setting up the password.
• Require at Least One Uppercase Letter — If enabled, every password must include at least one capital letter (A–Z). Increases password complexity and reduces the risk of unauthorized access.
• Require at Least One Lowercase Letter — If enabled, every password must include at least one small letter (a–z). Ensures a mix of character types in the password.
• Require at Least One Number — Every password must include at least one numerical digit (0–9).
• Require at Least One Non-Alphanumeric Character — Every password must include at least one special character (e.g., !, @, #, $, %, ^, &, *, -, _, +, =). Increases complexity and makes passwords harder to crack.
• Enable Password Expiration — If enabled, passwords must be changed after a set period. Ensures passwords are regularly updated, reducing the risk of compromised credentials being used long-term.
• Prevent Password Reuse — If enabled, users cannot reuse a previously used password when creating a new one.
• Minimum Password Age (in hours) — After resetting a password, users must wait this duration before changing it again. Default: 24 hours. Set to 0 to disable. Does not apply to Forgot Password resets.

• Web Session Timeout (in hours) — Total duration a web session can remain active regardless of user activity. Default: 24 hours.
• Mobile Session Expiry Time (in hours) — Duration a user's mobile app session remains active before auto-logout. Default: Disabled.
• Desktop Session Expiry Time (in hours) — Duration a desktop application session remains active before auto-expiry. Default: Disabled.
• Web Session Idle Timeout (in minutes) — Duration of inactivity after which a web session will expire. Default: Disabled.
• Expire Cookie When Browser Closes — Session cookie is deleted automatically when the browser is closed. Prevents unauthorized access if someone else uses the same device after the user's session. Default: Disabled.
• Prevent Concurrent Active Web Sessions — Restricts users from being logged into the same account from multiple devices or browsers at the same time. Default: Enabled.

• Enforce 2FA for the Whole Domain — All users in the organization must use two-factor authentication (2FA) to log in. 2FA requires a second form of verification (e.g., authenticator app code) in addition to the password. Ensures unauthorized access is blocked even if a password is compromised. Default: Disabled.

• Login Lockout — Temporarily disables account access after 5 consecutive failed login attempts. Protects against brute-force attacks.
• Configure IP Whitelisting — Restricts login access to approved and trusted IP addresses only. Users connecting from non-whitelisted IP addresses will be denied access.