Trust and security

Current controls

• Owner, admin, member, team lead, and team member roles.
• Owner-only owner management and last-owner protection.
• Invitation management and team membership controls.
• API keys generated with strong random values and stored as SHA-256 hashes.
• Fine-grained permission overrides for product-area access control.
• DB-backed rate limits for telemetry ingest, agent ingest, heartbeat, and GitHub webhook endpoints.
• GitHub webhook signature verification and delivery idempotency.
• Verified integration lifecycle that separates configured setup from connected provider delivery.
• Dashboard and root error boundaries to keep unexpected view errors from exposing raw stack traces.
• Audit logs for access, configuration, alerting, routing, incident, review, report, integration, and API key changes.
• Private dashboard, admin, and API routes excluded from public crawling.
• Alert delivery logs, maintenance windows, on-call schedules, incident timelines, and post-incident reviews.

Compliance statement

• The product includes enterprise readiness controls, but does not claim SOC 2, ISO 27001, HIPAA, or FedRAMP certification.
• Formal certifications should be treated as roadmap work until completed.
• Use the Trust page and audit log to support security review discussions.

Roadmap controls

• SAML/SSO for enterprise identity providers.
• SCIM provisioning for automated user lifecycle management.
• Security questionnaire exports and formal SOC 2 readiness package.

Related documentation