Secure by default,
by contract.

Traffic between your browser, the public API, and every internal service is wrapped in TLS 1.3. We disable older protocol versions outright rather than negotiating downgrades, so an attacker on the wire sees ciphertext or nothing.

Sensitive data on disk — cloud credentials, secrets, API tokens — is encrypted with AES-256-GCM via envelope encryption. Keys live separately from the data they protect, rotated on a documented schedule.

AWS, Azure, and GCP credentials you connect for drift detection are encrypted individually, sealed before they touch storage, and never written to logs or surfaced in plaintext outside the runtime memory of the worker that uses them.

Users authenticate through GitHub OAuth or email and password. Sessions are issued as short-lived JSON Web Tokens stored in HTTP-only cookies, refreshed quietly and revoked the moment you sign out.

Organizations enforce fine-grained role-based access. Members, managers, and owners each carry distinct permission boundaries, evaluated on every request — never on the client.

Admin-panel operations require multi-factor authentication via WebAuthn passkeys, with a fifteen-minute idle timeout. Every state-changing request also carries a CSRF token validated server-side through the double-submit cookie pattern.

Workloads run on Kubernetes (k3s in development, EKS in production) under strict NetworkPolicies. Pod-to-pod communication is constrained to declared routes — anything else is dropped before it reaches the application.

Every container runs as a non-root user with a read-only root filesystem. Privilege escalation is disabled at the pod security level, and capabilities are dropped except where strictly required.

Secrets are injected at runtime via Kubernetes Secrets and Helm-managed sealed secrets — never baked into images. Internal services (Resource Engine, Rules Engine, Drift Collector, Dataviz) are unreachable from the public internet; every call passes through the authenticated Node.js API.

Every privileged action — scan triggers, credential changes, member management — is recorded in an append-only audit log with hash-chain integrity verification. Tampering with history requires breaking the chain, and the chain is queryable.

We are actively pursuing SOC 2 Type II certification. Controls for availability, confidentiality, and security are being documented and tested across the platform on the path to attestation.

Infrastructure is hosted in the European Union. Data subjects can request export or deletion through the Privacy Policy and DPA. Scan results live for the duration of the subscription; cloud credentials are deleted immediately upon disconnection or account closure.