Security
Security Policy
Last updated: 8 May 2026
Security posture
Azoth OS is built to OWASP ASVS Level 1 and Level 2 standards. Security is a first-class concern at every layer of the stack.
Infrastructure
- Transport — TLS 1.3 enforced on all connections. HSTS with 1-year max-age and includeSubDomains.
- Data at rest — AES-256 encryption via Supabase (backed by AWS RDS).
- Database — Row Level Security enforced on every table. Service role used only for server-side writes; client role used for all user-facing queries.
- Hosting — Deployed on Vercel Edge Network with automatic DDoS mitigation.
Authentication & access
- Passwords — bcrypt-hashed by Supabase Auth. Minimum 8 characters enforced with strength indicator.
- 2FA — TOTP (RFC 6238) available for all accounts via authenticator app.
- API keys — stored as SHA-256 hashes only; the plaintext key is shown once on creation.
- Sessions — Supabase-issued JWT with hard expiry after a configurable inactivity window (default 8 hours;
SESSION_MAX_AGE_HOURSenv override). Refresh tokens rotate on each use. - OAuth — Google OAuth 2.0 via Supabase; no password stored for OAuth users.
Application security
- Security headers — Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, Permissions-Policy enforced via Next.js middleware.
- CSRF — SameSite=Strict cookies; all state-changing API calls require a valid session token.
- Input validation — all user input validated at API boundaries. SQL injection not possible (parameterized queries via Supabase SDK).
- Webhook signatures — HMAC-SHA256 with timing-safe comparison (Stripe-compatible format).
- Audit logs — all significant actions (member invite, API key create/delete, settings change, billing event) written to an immutable `audit_logs` table via service role.
RBAC
Fine-grained role-based access control with four roles: Owner, Admin, Member, Analyst (read-only). Roles are enforced at both application and database (RLS) levels. The has_workspace_role() SQL function is security definer and stable.
Vulnerability disclosure
We operate a responsible disclosure program. If you discover a security vulnerability, please email security@azothos.ai with:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact
We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days. We do not pursue legal action against researchers who act in good faith.
Compliance
- GDPR — Article 28 DPA available; data export via API v1 (Article 15/20); right to erasure honoured within 30 days (Article 17). Records of processing at /legal/ropa.
- SOC 2 Type II — controls inventory and audit readiness assessment on the roadmap. We will publish an updated status here once a SOC 2 engagement is formally initiated; until then this section makes no claim of a current or in-progress audit.
- HIPAA — BAA available for Enterprise customers. Not recommended for PHI storage without a signed BAA.
Contact
Security team: security@azothos.ai
PGP key available on request.