Security Practices
Infrastructure security
| Practice | Implementation |
|---|---|
| TLS everywhere | TLS 1.3 minimum on all endpoints; HSTS with 1-year max-age |
| Secrets management | All secrets stored in HashiCorp Vault with audit logging |
| Database encryption | AES-256 at rest; TLS in transit between services |
| Network segmentation | Database and internal services not publicly reachable |
| DDoS protection | Cloudflare Magic Transit on all public IPs |
| WAF | Cloudflare WAF with OWASP Core Rule Set |
| Vulnerability scanning | Weekly automated scans of our own infrastructure |
Application security
| Practice | Implementation |
|---|---|
| Input validation | All API inputs validated against strict JSON Schema |
| SQL injection | Parameterized queries / ORM throughout |
| XSS | React's auto-escaping + strict CSP |
| CSRF | SameSite=Strict cookies + CSRF tokens on mutations |
| Rate limiting | Per-IP and per-account rate limits on all endpoints |
| Authentication | Argon2id password hashing; TOTP 2FA available |
| Session management | Short-lived JWTs (1h) + refresh tokens (30d) with rotation |
Credential security
All integration credentials (cloud API keys, webhook URLs, etc.) are:
- Encrypted with AES-256-GCM before database write
- Never logged (any credential that appears in logs is masked)
- Never exposed via API responses (write-only; cannot be retrieved after initial entry)
- Scoped to minimum required permissions (we validate and warn if over-privileged)
Access control
- All customer data is partitioned by
workspace_idat the query level - Database accounts are role-based with no cross-workspace access possible
- Production database access requires VPN + hardware MFA
- All production access is logged and reviewed weekly
Responsible disclosure
We take security reports seriously. If you discover a vulnerability:
Email: [email protected] Response SLA: Within 24 hours Fix SLA: Critical: 24h, High: 7 days, Medium: 30 days
We operate a coordinated disclosure policy:
- Report to us first
- We acknowledge within 24 hours
- We fix and notify you
- You can publish details 90 days after our fix
We currently do not operate a paid bug bounty program, but we will publicly acknowledge security researchers who report valid vulnerabilities.
Compliance roadmap
| Standard | Status |
|---|---|
| SOC 2 Type I | In progress (Q2 2025) |
| SOC 2 Type II | Planned (Q4 2025) |
| ISO 27001 | Planned (2026) |
| GDPR | Compliant |
| CCPA | Compliant |