Security

Enterprise security posture and reporting

Security controls are managed with explicit status labels so teams can evaluate what is verified today and what is in progress.

Core security controls in production

Strict JWT issuer, audience, and expiration verification across protected routes.
Workspace-scoped authorization checks for pipeline and run actions.
Signed webhook verification with anti-replay timestamp windows.
SSRF protections on outbound connector and integration requests.
Immutable security audit events for sensitive operational actions.

Controls and audit evidence program active across CC1–CC9 trust service criteria.

In Progress

Data handling patterns designed for GDPR workflows.

Verified

Access is scoped to least privilege and audited actions.

Verified

Standard Data Processing Agreement available for enterprise onboarding.

Verified

Static security analysis and dependency review in CI.
Secret scanning on code changes with project-specific false-positive rules.
OpenAPI-to-TypeScript consistency checks to prevent drift in client/server contracts.
Security regression tests for token validation and route protections.

Use the contact form with reproduction steps and impact details. We acknowledge valid reports within 48 hours.

Enterprise security posture and reporting

Security controls are managed with explicit status labels so teams can evaluate what is verified today and what is in progress.

Strict JWT issuer, audience, and expiration verification across protected routes.
Workspace-scoped authorization checks for pipeline and run actions.
Signed webhook verification with anti-replay timestamp windows.
SSRF protections on outbound connector and integration requests.
Immutable security audit events for sensitive operational actions.