Skip to main content

Multi-factor authentication (MFA)

MFA is opt-in — Seloria never forces you to enroll, but we recommend it for everyone. To enable it, go to Settings → Security and find the MFA section:
  1. Click to start enrollment. Seloria shows a QR code (and a manual secret you can reveal if you prefer typing it).
  2. Scan the QR code with any authenticator app (Google Authenticator, Microsoft Authenticator, 1Password, etc.).
  3. Enter the 6-digit code from your app to verify and complete enrollment.
Once enrolled, you’ll be asked for a 6-digit code each time you sign in. You can disable MFA at any time from the same section. If you abandoned an enrollment halfway, Seloria cleans it up automatically so you can start fresh.

One session at a time

Seloria enforces a single active session per user. If you sign in on a second device or browser, your previous session is invalidated. The signed-out device detects this within about a minute and returns you to the login page with the message that your session was closed because you signed in from another device. This prevents shared or forgotten sessions from staying open on other machines. If you were unexpectedly signed out, the most likely cause is that you (or someone with your credentials) signed in elsewhere — if you didn’t, change your password.

Password policy

By default, passwords must:
  • Be at least 8 characters long
  • Include at least one uppercase letter
  • Include at least one lowercase letter
  • Include at least one number
Administrators can tighten these rules in Settings → Security — raising the minimum length or requiring symbols. The policy is enforced everywhere a password is set: signup, invitation acceptance, password reset, and password changes.

Resetting your password

  1. On the login page, click Forgot password.
  2. Complete the human-verification check and enter your email. Seloria sends you a reset link.
  3. Follow the link and choose a new password that meets your organization’s policy.
You can also change your password while signed in, from Settings → Security.

CAPTCHA

Seloria uses a human-verification challenge (Cloudflare Turnstile) on the signup and forgot password pages, and on the supplier response portals, to block automated abuse. It usually verifies invisibly without requiring any interaction.

IP restrictions (Administrators)

Organizations that need network-level control can enable an IP whitelist in Settings → Security. When enabled, only requests coming from the listed IP addresses can access the application — everything else is blocked at the edge, before reaching any data. Enter one IP address per line. Only Administrators see and edit org-wide security policies; other users see just their personal account section (password and MFA).

Your data stays your data

Seloria is multi-tenant, and every record — requests, RFQs, quotations, POs, suppliers, budgets, settings — is scoped to your organization. Isolation is enforced at the database layer on every query, not just in the interface, so users from one company can never see another company’s data. Within your organization, role rules apply on top: for example, requestors only see their own requests, and buyers only see work assigned to them.

Audit trail

Every key document (RFQ, RFI, RFP, and PO) has a History tab showing a chronological feed of everything that happened to it:
  • Creation, edits (with field-by-field before/after changes), and status changes
  • Publication and supplier invitations
  • Quotations received
  • Awards (with amount and strategy), award reversals, approvals and rejections
  • POs generated from the document
Each event shows who did it — a user, a supplier, or the system — and when. An organization-wide version of the same feed appears at the bottom of Reports → Activity and Volume, so Administrators can review recent activity in one place.