Skip to main content
AzothOS← Back to home

Security

Security Policy

Last updated: 8 May 2026

Security posture

Azoth OS is built to OWASP ASVS Level 1 and Level 2 standards. Security is a first-class concern at every layer of the stack.

Infrastructure

  • Transport — TLS 1.3 enforced on all connections. HSTS with 1-year max-age and includeSubDomains.
  • Data at rest — AES-256 encryption via Supabase (backed by AWS RDS).
  • Database — Row Level Security enforced on every table. Service role used only for server-side writes; client role used for all user-facing queries.
  • Hosting — Deployed on Vercel Edge Network with automatic DDoS mitigation.

Authentication & access

  • Passwords — bcrypt-hashed by Supabase Auth. Minimum 8 characters enforced with strength indicator.
  • 2FA — TOTP (RFC 6238) available for all accounts via authenticator app.
  • API keys — stored as SHA-256 hashes only; the plaintext key is shown once on creation.
  • Sessions — Supabase-issued JWT with hard expiry after a configurable inactivity window (default 8 hours; SESSION_MAX_AGE_HOURS env override). Refresh tokens rotate on each use.
  • OAuth — Google OAuth 2.0 via Supabase; no password stored for OAuth users.

Application security

  • Security headers — Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, Permissions-Policy enforced via Next.js middleware.
  • CSRF — SameSite=Strict cookies; all state-changing API calls require a valid session token.
  • Input validation — all user input validated at API boundaries. SQL injection not possible (parameterized queries via Supabase SDK).
  • Webhook signatures — HMAC-SHA256 with timing-safe comparison (Stripe-compatible format).
  • Audit logs — all significant actions (member invite, API key create/delete, settings change, billing event) written to an immutable `audit_logs` table via service role.

RBAC

Fine-grained role-based access control with four roles: Owner, Admin, Member, Analyst (read-only). Roles are enforced at both application and database (RLS) levels. The has_workspace_role() SQL function is security definer and stable.

Vulnerability disclosure

We operate a responsible disclosure program. If you discover a security vulnerability, please email security@azothos.ai with:

  • A clear description of the vulnerability
  • Steps to reproduce
  • Potential impact

We will acknowledge your report within 48 hours and aim to resolve critical issues within 7 days. We do not pursue legal action against researchers who act in good faith.

Compliance

  • GDPR — Article 28 DPA available; data export via API v1 (Article 15/20); right to erasure honoured within 30 days (Article 17). Records of processing at /legal/ropa.
  • SOC 2 Type II — controls inventory and audit readiness assessment on the roadmap. We will publish an updated status here once a SOC 2 engagement is formally initiated; until then this section makes no claim of a current or in-progress audit.
  • HIPAA — BAA available for Enterprise customers. Not recommended for PHI storage without a signed BAA.

Contact

Security team: security@azothos.ai
PGP key available on request.

© 2026 Beweird SAS
PrivacyTermsSecurityAccessibilityDPA