Security Architecture

Built for enterprises
that demand security

Privacy-first architecture. No source code retention. Cryptographic audit trail. Enterprise SSO. Every control designed to pass a technical due diligence review.

Security Controls

Enterprise-grade security by design

Privacy

No Source Code Retention

Source code submitted for scanning is processed in-memory and never written to our database. Only cryptographic hashes (SHA-256) of scan results are persisted.

PII sanitiser redacts credentials, API keys, emails, and IPs before any external LLM call. If the sanitiser cannot confirm safety, the call is aborted.

Encryption

Encryption in Transit and at Rest

All API and dashboard traffic uses TLS 1.3 with HSTS enforced. Database and object storage are encrypted at rest with AES-256. TLS certificates auto-renewed via Let's Encrypt.

HSTS max-age: 63072000 (2 years) with includeSubDomains and preload.

Auth

Password and Credential Security

Passwords are hashed with bcrypt (cost factor 12). API keys and webhook secrets are stored as SHA-256 hashes only — the raw value is shown once at creation and never retrievable.

JWT access tokens expire after 15 minutes. Refresh tokens rotate on every use and expire after 7 days.

Integrity

Cryptographic Audit Chain

Every platform action is written to an append-only audit log with HMAC-SHA256 integrity signatures. Each entry chains to the previous — any deletion or modification breaks the chain and is detectable.

Chain verification endpoint available to administrators: GET /api/v1/auth/audit/verify.

Architecture

Multi-Tenant Isolation

Every database table carries an organisation_id foreign key. All API queries are scoped to the authenticated organisation. Cross-tenant data access is structurally impossible at the query layer.

SQLAlchemy async ORM with row-level tenant isolation. No shared database tables without organisation scoping.

Identity

SSO / SAML 2.0 Support

Enterprise customers can authenticate via SAML 2.0 with Okta, Azure AD, or Google Workspace. SAML assertions are validated including NotOnOrAfter, audience restriction, and signature verification.

OIDC support via Okta and Azure AD. Legacy password auth available for non-SSO organisations.

HTTP Security

Security headers on every response

All API and web responses include a full set of security headers enforced at the application layer.

X-Content-Type-Optionsnosniff
X-Frame-OptionsDENY
X-XSS-Protection1; mode=block
Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload
Referrer-Policystrict-origin-when-cross-origin
Permissions-Policygeolocation=(), microphone=(), camera=()
Compliance Certifications

Security and compliance posture

EU AI Act (Reg. 2024/1689)
Active
SOC 2 Type II
In Progress
ISO 42001 (AI Management)
In Progress
GDPR Article 25 (Privacy by Design)
Active
ISO 27001
In Progress

Responsible Disclosure

If you discover a security vulnerability in SovereignAudit, we ask that you report it to us privately so we can address it before public disclosure. We commit to acknowledging reports within 48 hours and providing a fix timeline within 7 days for critical issues.

Please encrypt sensitive reports using our PGP key, available on request.

Need to review our security documentation?

Enterprise customers can request our security questionnaire responses, penetration test summaries, and architectural diagrams under NDA.