Encryption
- Data in transit: TLS 1.2+ for all client-server and service-to-service traffic; TLS 1.3 preferred.
- Data at rest: AES-256 for all database stores (PlanetScale/MySQL) and object storage.
- Secrets: environment-variable injection; no secrets committed to version control; automated rotation for service account tokens.
Identity & Access Control
- Admin Control Plane (`admin.betterdata.co`): Google authentication with mandatory MFA.
- Tenant access: OAuth 2.0 / API key with per-tenant scoping.
- Entitlements: `TenantCapabilitySnapshot` enforces RBAC; modules never read raw entitlement data.
- Principle of least privilege applied to all service accounts and personnel.
Audit & Monitoring
- Loop Audit Trail: tamper-evident record of every state transition with actor identity, timestamp, `correlationId`, and `causationId` generated as a natural output of platform operation.
- Drift Detection: scheduled worker reconciles expected vs. observed module state per tenant.
- API access logs retained for security monitoring and incident reconstruction.
Network & Infrastructure
- AWS VPC with private subnets for all data stores.
- Web Application Firewall (WAF) on all public-facing endpoints.
- DDoS mitigation at network layer.
- Outbox Relay uses a DB-backed channel log; no external message broker reduces attack surface.
Vulnerability Management
- Dependency scanning in CI/CD pipeline.
- CycloneDX SBOM generated on demand for Enterprise customers.
- Critical patches: 72 hours.
- High severity: 14 days.
- Annual third-party penetration test (executive summary available under NDA).
Incident Response
- Defined response plan with roles, escalation paths, and communication procedures.
- 72-hour customer notification SLA for confirmed incidents involving Customer Data.
- Post-incident review (PIR) available to affected customers on request.
- Report a vulnerability: security@betterdata.co
