Security Overview

Understanding the platform’s security architecture, best practices, and compliance features for protecting sensitive data.

Security Principles

The platform is built on these security principles:

  1. Defense in Depth: Multiple layers of security controls

  2. Least Privilege: Minimal permissions required

  3. Encryption Everywhere: Data encrypted in transit and at rest

  4. Audit Everything: Complete audit trail of all operations

  5. Secure by Default: Secure configuration out of the box

Security Architecture

Authentication

Supported methods:

  • Local Users: Username/password stored in the platform

  • LDAP / Active Directory: Enterprise directory integration

  • Single Sign-On (SSO): SAML 2.0, OAuth 2.0

  • API Keys: Service account authentication

See: Authentication

Authorization

Role-Based Access Control (RBAC):

  • Roles: Admin, User, Viewer

  • Permissions: Create/Read/Update/Delete workflows

  • Projects: Isolate workflows and data sources

  • Groups: Organize users

See: RBAC

Data Protection

Encryption:

  • In Transit: TLS 1.2+ for all network communication

  • At Rest: Database encryption (PostgreSQL, MySQL)

  • Secrets: Integration with secret managers

Secret Management:

  • HashiCorp Vault: Enterprise secret management

  • AWS Secrets Manager: AWS secret storage

  • GCP Secret Manager: Google Cloud secrets

  • Azure Key Vault: Microsoft Azure secrets

See: Secret Management

Network Security

Network Isolation:

  • Backend in private network

  • Database not publicly accessible

  • Agents communicate via internal network

  • Firewall rules restrict access

TLS/SSL:

  • HTTPS for web UI

  • Encrypted database connections

  • Certificate management

Audit Logging

What’s logged:

  • User authentication (login/logout)

  • Workflow creation/modification/execution

  • Data source access

  • Configuration changes

  • Failed access attempts

Log retention:

  • Configurable retention period

  • Export to SIEM systems

  • Compliance reporting

Security Best Practices

1. Credential Management

DO: * ✅ Use secret managers (Vault, AWS, GCP) * ✅ Rotate credentials regularly * ✅ Use strong passwords (12+ characters) * ✅ Enable MFA for admin accounts

DON’T: * ❌ Hardcode credentials in configs * ❌ Store passwords in plain text * ❌ Commit secrets to Git * ❌ Share admin credentials

2. Network Security

DO: * ✅ Use private networks for platform components * ✅ Enable TLS/HTTPS everywhere * ✅ Restrict database access to the platform only * ✅ Use VPN for remote access

DON’T: * ❌ Expose backend to public internet * ❌ Allow unencrypted database connections * ❌ Use default ports without firewall * ❌ Disable SSL certificate verification

3. Access Control

DO: * ✅ Implement RBAC * ✅ Use least privilege principle * ✅ Regular access reviews * ✅ Disable inactive accounts

DON’T: * ❌ Give everyone admin access * ❌ Share user accounts * ❌ Skip authentication for "internal" systems * ❌ Grant permanent access tokens

4. Data Handling

DO: * ✅ Use read-only mode for source databases * ✅ Validate output data * ✅ Test on small datasets first * ✅ Document data transformations

DON’T: * ❌ Mix production and test environments * ❌ Copy production data without masking * ❌ Skip referential integrity validation * ❌ Bypass data classification

Compliance Features

GDPR Compliance

The platform helps with GDPR compliance:

Right to Erasure: * Delete or mask personal data * Irreversible transformations * Audit trail of deletions

Data Minimization: * Subsetting reduces data volume * Only necessary data copied * Automated data cleanup

Data Portability: * Export data in standard formats * CSV, JSON generation * Database-to-database transfers

HIPAA Compliance

For healthcare data:

De-identification: * Mask all 18 HIPAA identifiers * Safe Harbor method support * Statistical de-identification

Access Controls: * RBAC for PHI access * Audit logs for compliance * Encryption at rest and in transit

SOC 2 Compliance

For service organizations:

Security Controls: * Access controls (RBAC) * Encryption (TLS, database) * Change management (version control) * Monitoring and alerting

Availability Controls: * High availability (Kubernetes) * Backup and recovery * Disaster recovery

Security Hardening

Production Deployment Checklist

  • Change all default passwords

  • Configure SSO or LDAP

  • Enable HTTPS with valid certificates

  • Set up secret manager integration

  • Configure RBAC roles and permissions

  • Enable audit logging

  • Restrict network access

  • Set up monitoring and alerting

  • Regular security updates

  • Backup and disaster recovery plan

Environment-Specific Settings

Development: * Local authentication acceptable * Less strict network rules * Shorter log retention

Staging: * Mirror production security * Test security configs * Validate access controls

Production: * Strictest security controls * SSO/LDAP required * Full audit logging * Secret manager integration * Network isolation * Regular security audits

Vulnerability Management

Keeping the Platform Secure

  1. Regular Updates:

    • Update the platform to latest version

    • Security patches applied promptly

    • Review release notes

See: Updating the Platform

  1. Dependency Scanning:

    • Platform images scanned for vulnerabilities

    • CVE tracking and remediation

    • Third-party library updates

  2. Security Monitoring:

    • Monitor for suspicious activity

    • Alert on failed authentication attempts

    • Track unusual data access patterns

Incident Response

If security incident occurs:

  1. Isolate: Disconnect affected systems

  2. Assess: Determine scope and impact

  3. Contain: Prevent further damage

  4. Eradicate: Remove threat

  5. Recover: Restore normal operations

  6. Review: Post-incident analysis

Contacts: * Review audit logs * Check user activity * Verify data integrity * Document incident

Security Resources

Internal Documentation

External Resources

  • OWASP Top 10

  • NIST Cybersecurity Framework

  • CIS Benchmarks

  • GDPR Guidelines

  • HIPAA Security Rule

Security Checklist Summary

Authentication: ✓ SSO/LDAP configured Authorization: ✓ RBAC enabled Encryption: ✓ TLS everywhere Secrets: ✓ Secret manager integrated Audit: ✓ Logging enabled Network: ✓ Firewall configured Updates: ✓ Patch management process Monitoring: ✓ Alerts configured Backup: ✓ DR plan tested Training: ✓ Team security aware

Get Help

For security questions: