Built for enterprises
that demand security
Privacy-first architecture. No source code retention. Cryptographic audit trail. Enterprise SSO. Every control designed to pass a technical due diligence review.
Enterprise-grade security by design
No Source Code Retention
Source code submitted for scanning is processed in-memory and never written to our database. Only cryptographic hashes (SHA-256) of scan results are persisted.
PII sanitiser redacts credentials, API keys, emails, and IPs before any external LLM call. If the sanitiser cannot confirm safety, the call is aborted.
Encryption in Transit and at Rest
All API and dashboard traffic uses TLS 1.3 with HSTS enforced. Database and object storage are encrypted at rest with AES-256. TLS certificates auto-renewed via Let's Encrypt.
HSTS max-age: 63072000 (2 years) with includeSubDomains and preload.
Password and Credential Security
Passwords are hashed with bcrypt (cost factor 12). API keys and webhook secrets are stored as SHA-256 hashes only — the raw value is shown once at creation and never retrievable.
JWT access tokens expire after 15 minutes. Refresh tokens rotate on every use and expire after 7 days.
Cryptographic Audit Chain
Every platform action is written to an append-only audit log with HMAC-SHA256 integrity signatures. Each entry chains to the previous — any deletion or modification breaks the chain and is detectable.
Chain verification endpoint available to administrators: GET /api/v1/auth/audit/verify.
Multi-Tenant Isolation
Every database table carries an organisation_id foreign key. All API queries are scoped to the authenticated organisation. Cross-tenant data access is structurally impossible at the query layer.
SQLAlchemy async ORM with row-level tenant isolation. No shared database tables without organisation scoping.
SSO / SAML 2.0 Support
Enterprise customers can authenticate via SAML 2.0 with Okta, Azure AD, or Google Workspace. SAML assertions are validated including NotOnOrAfter, audience restriction, and signature verification.
OIDC support via Okta and Azure AD. Legacy password auth available for non-SSO organisations.
Security headers on every response
All API and web responses include a full set of security headers enforced at the application layer.
X-Content-Type-OptionsnosniffX-Frame-OptionsDENYX-XSS-Protection1; mode=blockStrict-Transport-Securitymax-age=63072000; includeSubDomains; preloadReferrer-Policystrict-origin-when-cross-originPermissions-Policygeolocation=(), microphone=(), camera=()Security and compliance posture
Responsible Disclosure
If you discover a security vulnerability in SovereignAudit, we ask that you report it to us privately so we can address it before public disclosure. We commit to acknowledging reports within 48 hours and providing a fix timeline within 7 days for critical issues.
Need to review our security documentation?
Enterprise customers can request our security questionnaire responses, penetration test summaries, and architectural diagrams under NDA.