Security by design

Security isn't a feature we added — it's a constraint we build within. Here's how we protect your data and infrastructure.

Infrastructure security

All data encrypted at rest (AES-256) and in transit (TLS 1.3). Infrastructure runs on hardened cloud environments with network isolation between tenants.

Access control

Role-based access control (RBAC) with fine-grained permissions. SSO via SAML 2.0 and OIDC on Enterprise. API keys scoped per workspace and rotatable at any time.

Audit & observability

Every API call, workflow run, and configuration change is logged immutably. Logs are queryable and exportable. Retention is configurable up to 365 days on Enterprise.

Security practices

How we protect data across every layer of the stack.

Encryption at rest

All stored data — workflow definitions, run logs, plugin state — is encrypted using AES-256-GCM. Encryption keys are rotated automatically on a 90-day schedule.

Encryption in transit

All connections use TLS 1.3. Older TLS versions and weak cipher suites are rejected. Certificate pinning is available for enterprise SDK integrations.

Tenant isolation

Each tenant's data is isolated at the storage layer. Workflow executions run in separate sandboxes. Cross-tenant data access is architecturally prevented, not just policy-controlled.

Secret management

Workflow secrets and integration credentials are stored encrypted in a dedicated vault, never in workflow definitions or logs. Secrets are injected at runtime and never exposed in plaintext.

Dependency security

All dependencies are pinned and audited with automated tooling on every release. Critical CVEs trigger immediate patch releases. A full software bill of materials (SBOM) is available on request.

Penetration testing

We conduct annual third-party penetration tests and address all critical and high findings before the next release. Summaries are available to Enterprise customers under NDA.

Compliance

GDPRAvailable

Data processing agreements available. EU data residency option on Enterprise.

SOC 2 Type IIIn progress

Audit in progress. Report available to Enterprise prospects under NDA.

ISO 27001In progress

Planned for 2026. Controls are aligned and gap analysis is complete.

DPAAvailable

Standard data processing agreement available for all paid plans.

Questions about security?

We're happy to share more detail under NDA or walk through our controls with your security team.