Security
How we protect customer data and the controls we have in place.
v1.0
Last updated
Our approach
Security is a foundational property of Tenavora, not a feature sold separately. We design every component with defense-in-depth and the assumption that any single layer can fail.
Compliance
We are working toward the following certifications:
- SOC 2 Type II — target 2026 Q4
- ISO 27001 — target 2027 Q1
- GDPR — operational compliance from launch
- HIPAA BAAs — available for Enterprise customers handling PHI
Audit reports and BAAs are available under NDA. Contact [email protected].
Infrastructure
- All workloads run on hardened Linux containers
- TLS 1.2+ for all traffic; TLS 1.3 preferred
- Firewalled VPC; database not directly reachable from internet
- Cloudflare DDoS protection at the edge
- Automated patching for OS and runtime images
Data protection
- At rest: AES-256 encryption on all storage volumes
- In transit: TLS to all endpoints, mTLS for service-to-service
- Field-level: Per-tenant encryption keys for PII columns
- Backups: Daily encrypted backups with 30-day retention; tested quarterly
Identity & access (our own)
- Mandatory MFA for all employee accounts
- SSO via corporate identity provider
- Just-in-time access for production with auto-expiry
- All production access logged and reviewed monthly
Application security
- Static analysis on every pull request
- Dependency scanning with auto-remediation PRs
- Annual third-party penetration testing
- Bug bounty program for security researchers
Multi-tenant isolation
- Row-level security enforced at the database tier
- Per-tenant API rate limits and resource quotas
- Tenant-aware audit logs — no cross-tenant access possible
Incident response
- 24/7 on-call rotation
- Documented runbooks for common incident classes
- Customer notification within 72 hours of confirmed data incident
- Post-incident reviews shared with affected customers
Responsible disclosure
If you’ve discovered a security vulnerability:
- Email [email protected] with details
- Include steps to reproduce and impact assessment
- Do not publicly disclose until we’ve had time to patch
- We commit to acknowledge within 24 hours and patch critical issues within 7 days
We do not currently offer a paid bounty, but we publicly credit researchers (with permission) and may offer swag or credits for valid reports.
Contact
Security inquiries: [email protected] PGP key available on request.