Security you can hand to your CISO

Your data is encrypted in transit and at rest. No exceptions.

• TLS 1.3 on every connection. HTTP requests redirect to HTTPS before any data leaves the wire.
• AES-256-GCM encryption at rest across PostgreSQL and Qdrant vector storage.
• Passwords hashed with bcrypt at cost factor 12. Rainbow tables are useless.
• API keys hashed with SHA-256 before storage. We never store, log, or display your key in plaintext after creation.
• Webhook payloads signed with HMAC-SHA256. Recipients verify the signature before processing. Replay attacks fail.

Multiple identity verification layers protect every access point.

• JWT access tokens expire in 15 minutes. Refresh tokens live in httpOnly cookies with 7-day expiry and Secure + SameSite=Strict flags. XSS cannot steal them.
• API key authentication for machine-to-machine access. Each key is scoped to specific sites and permissions. Keys rotate without downtime.
• OAuth 2.1 Bearer auth on the MCP endpoint (/mcp), following RFC 9728 for server discovery. Supports both JWT and API key bearer tokens.
• TOTP two-factor authentication (RFC 6238). Encrypted backup codes generated at setup. Compatible with any authenticator app: Google Authenticator, Authy, 1Password.
• Account lockout after 5 consecutive failed login attempts with automatic cooldown recovery. Anti-enumeration responses on all auth endpoints return identical timing and status codes for valid and invalid accounts.

Your data lives in its own namespace. Always.

• Every client gets a dedicated Qdrant vector collection. Content chunks, 384-dimensional embeddings, and metadata are physically separated from every other customer. No shared collections.
• Default-deny middleware on every API route. Access requires a valid JWT or API key with the correct scope. No route is accessible without authentication.
• Role-based access control with organization hierarchy: owner, admin, member. Permissions enforced at the database query level with SELECT ... FOR UPDATE, not just the application layer.
• API keys scoped to individual sites. A key for site A cannot read, write, or query data from site B. Scope is checked on every request.
• Cross-tenant queries are structurally impossible. Collection names include the client identifier. There is no "all clients" collection to accidentally query.

Every security-sensitive action is logged. Every anomaly is flagged.

• Immutable audit logs record the actor, action, timestamp, and before/after state for logins, permission changes, data exports, and account deletions. Logs cannot be modified or deleted through the application.
• Sentry error tracking with automatic PII scrubbing. Email addresses, API keys, and passwords are stripped before any data leaves the server. Scrubbing rules verified in test suite.
• MCP query anomaly detection using Redis sliding-window rate limiting. Per-plan daily quotas prevent abuse: Growth gets 10K queries/day, Scale gets 50K. Spike alerts fire when a single key exceeds 3x its rolling average.
• Alert rules trigger on job failure rate spikes, Redis queue depth exceeding 1,000 messages, and Qdrant connection failures. Alerts route to the on-call channel within 60 seconds.
• Structured JSON logging in production. Every log entry carries a request_id for end-to-end tracing across API, worker, and database layers. No unstructured log lines.

Defense-in-depth from the network edge to the application layer.

• Security headers on every response: HSTS (max-age=31536000, includeSubDomains), X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, Content-Security-Policy with explicit source allowlists.
• CORS configured with credential restrictions and explicit origin allowlists. Wildcard origins are never permitted. Preflight requests cached for 1 hour.
• SSRF validation on all user-submitted URLs. Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost, link-local (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254) are blocked before any outbound request.
• Rate limiting at the API gateway layer. Authentication endpoints: 5 requests/minute. Data endpoints: per-plan limits. Rate limit headers (X-RateLimit-Remaining, X-RateLimit-Reset) returned on every response.
• Error responses in production return a request_id and a human-readable message. Stack traces, internal file paths, and database details are never exposed. Error format validated in CI.

Built for regulated industries from day one.

• GDPR Article 20 data portability: download your full profile, sites, jobs, API keys, and query history as a structured JSON archive. Available in-app under Settings. Export completes in under 30 seconds for typical accounts.
• GDPR Article 17 right to erasure: cascading deletion removes user data, sites, jobs, vector collections, API keys, and audit logs. Active crawl jobs are cancelled before deletion begins. Deletion is irreversible and confirmed via email.
• Per-plan data retention enforcement runs on an automated schedule. Free tier: 7 days. Growth: 30 days. Scale: 90 days. Enterprise: 365 days. Expired data is purged from PostgreSQL and Qdrant, not archived.
• Stripe handles all payment processing (PCI-DSS Level 1 certified). Card numbers, CVVs, and bank details never touch VectorEO servers. We store only the Stripe customer ID and subscription state.
• All crawling respects robots.txt directives, including AI-specific crawler rules for GPTBot, ClaudeBot, and PerplexityBot. Sites that block crawling are not crawled. Robots.txt is re-checked on every crawl cycle.