Tenavora Unified Platform
Skip to content

Security

How we protect customer data and the controls we have in place.

v1.0 Last updated

Our approach

Security is a foundational property of Tenavora, not a feature sold separately. We design every component with defense-in-depth and the assumption that any single layer can fail.

Compliance

We are working toward the following certifications:

  • SOC 2 Type II — target 2026 Q4
  • ISO 27001 — target 2027 Q1
  • GDPR — operational compliance from launch
  • HIPAA BAAs — available for Enterprise customers handling PHI

Audit reports and BAAs are available under NDA. Contact [email protected].

Infrastructure

  • All workloads run on hardened Linux containers
  • TLS 1.2+ for all traffic; TLS 1.3 preferred
  • Firewalled VPC; database not directly reachable from internet
  • Cloudflare DDoS protection at the edge
  • Automated patching for OS and runtime images

Data protection

  • At rest: AES-256 encryption on all storage volumes
  • In transit: TLS to all endpoints, mTLS for service-to-service
  • Field-level: Per-tenant encryption keys for PII columns
  • Backups: Daily encrypted backups with 30-day retention; tested quarterly

Identity & access (our own)

  • Mandatory MFA for all employee accounts
  • SSO via corporate identity provider
  • Just-in-time access for production with auto-expiry
  • All production access logged and reviewed monthly

Application security

  • Static analysis on every pull request
  • Dependency scanning with auto-remediation PRs
  • Annual third-party penetration testing
  • Bug bounty program for security researchers

Multi-tenant isolation

  • Row-level security enforced at the database tier
  • Per-tenant API rate limits and resource quotas
  • Tenant-aware audit logs — no cross-tenant access possible

Incident response

  • 24/7 on-call rotation
  • Documented runbooks for common incident classes
  • Customer notification within 72 hours of confirmed data incident
  • Post-incident reviews shared with affected customers

Responsible disclosure

If you’ve discovered a security vulnerability:

  1. Email [email protected] with details
  2. Include steps to reproduce and impact assessment
  3. Do not publicly disclose until we’ve had time to patch
  4. We commit to acknowledge within 24 hours and patch critical issues within 7 days

We do not currently offer a paid bounty, but we publicly credit researchers (with permission) and may offer swag or credits for valid reports.

Contact

Security inquiries: [email protected] PGP key available on request.