Security at SignalVault

All prompt and response payloads are encrypted using AES-256-GCM via Cloak/Ecto. Encryption keys are managed through environment configuration and are never stored alongside the data they protect. Database backups inherit the same encryption.

All connections use TLS 1.3. API endpoints enforce HTTPS. The dashboard and all web traffic are served over encrypted channels. Certificate management is handled by the hosting provider with automatic renewal.

API keys are hashed with HMAC-SHA256 before storage. Raw keys are never persisted. Key prefixes (sk_live_, sk_test_) indicate environment without exposing the secret. Keys are shown only once at creation.

Session-based authentication with bcrypt password hashing. Rate limiting on login (20 requests/minute) and API endpoints (120 requests/minute). CSRF protection on all forms. Secure session cookies with HttpOnly and SameSite attributes.

Automated retention policies: Starter plan 30 days, Growth plan 90 days, Enterprise up to 365 days. Expired data is permanently deleted via scheduled background jobs. Account deletion removes all associated data, including audit logs, rules, and API keys.

Deployed on hardened infrastructure with minimal attack surface. Database credentials are rotated via environment variables. No secrets in source control. Dependencies are audited and kept current.

Designed with SOC2 Trust Service Criteria in mind. Encrypted audit trails for every AI interaction. Access logging. Policy enforcement via guardrail rules. Export capabilities (CSV, JSON) for compliance reviews and evidence collection.

We take security vulnerabilities seriously. If you discover an issue, please report it to support@signalvault.io. We aim to acknowledge reports within 48 hours and will work with you to resolve issues before public disclosure.