# Security Practices Platform Security Overview ## Encryption Everywhere All customer data is encrypted in transit with TLS 1.3 and at rest with AES-256. Encryption keys are managed through dedicated key management infrastructure and rotated on a regular schedule. Internal communication between services runs over the cluster network with strict policy enforcement. No customer data ever traverses the public internet unencrypted. ## Authentication and Access Control User authentication uses industry-standard JWT cookies over HTTPS only, with passwords hashed via Argon2 and PBKDF2. Single sign-on via Google and Microsoft is supported for organizations that need it. Two-factor authentication is enforced for all administrative access. Role-based access control governs every action inside the workspace. The principle of least privilege applies to people, AI employees, and integrated tools alike. Every privileged action writes an audit log entry tied to the responsible identity. ## Network and Application Hardening The platform runs on a hardened Kubernetes environment with default-deny network policies, pod security standards, and ingress rate limiting. Container images are built from minimal base images and scanned for vulnerabilities before deployment. The application layer applies strict security headers, content security policy, and parameterized database queries throughout. Dependencies are continuously scanned for known vulnerabilities and patched on a documented timeline. ## Tenant Isolation Customer environments are isolated at every layer of the stack: database, application, cache, file storage, and workflow engine. Personal data, files, and AI conversations never cross tenant boundaries. Tenant identity is enforced by middleware on every request and by integration tests that probe for cross-tenant access. This is the most important security boundary on the platform and we treat any regression as a critical incident. ## What this means for customers - TLS 1.3 in transit, AES-256 at rest, on every layer - Two-factor authentication enforced for administrative access - Role-based access control with full audit logging - Hardened Kubernetes infrastructure with continuous vulnerability scanning - Strict tenant isolation enforced at every layer of the stack