Security Overview

Understanding the platform’s security architecture, best practices, and compliance features for protecting sensitive data.

Security Principles

The platform is built on these security principles:

  1. Defense in Depth: Multiple layers of security controls

  2. Least Privilege: Minimal permissions required

  3. Encryption Everywhere: Data encrypted in transit and at rest

  4. Audit Everything: Complete audit trail of all operations

  5. Secure by Default: Secure configuration out of the box

Security Architecture

Authentication

Supported methods:

  • Local Users: Username/password stored in the platform

  • LDAP / Active Directory: Enterprise directory integration

  • Single Sign-On (SSO): SAML 2.0, OAuth 2.0

  • API Keys: Service account authentication

See: Authentication

Authorization

Role-Based Access Control (RBAC):

  • Global Roles: Member, Administrator, Owner

  • Project Roles: Viewer, Editor, Admin, Owner

  • Permissions: Create/Read/Update/Delete workflows

  • Projects: Isolate workflows and data sources

  • Groups: Organize users

  • Automatic role assignment: Via SAML group mapping or LDAP authorities

See: RBAC

Data Protection

Encryption:

  • In Transit: TLS 1.2+ for all network communication

  • At Rest: Database encryption (PostgreSQL, MySQL)

  • Secrets: Integration with secret managers

Secret Management:

  • HashiCorp Vault: Enterprise secret management

  • AWS Secrets Manager: AWS secret storage

  • GCP Secret Manager: Google Cloud secrets

  • Azure Key Vault: Microsoft Azure secrets

See: Secret Management

Network Security

Network Isolation:

  • Backend in private network

  • Database not publicly accessible

  • Agents communicate via internal network

  • Firewall rules restrict access

TLS/SSL:

  • HTTPS for web UI

  • Encrypted database connections

  • Certificate management

Audit Logging

What’s logged:

  • User authentication (login/logout)

  • Workflow creation/modification/execution

  • Data source access

  • Configuration changes

  • Failed access attempts

Log retention:

  • Configurable retention period

  • Export to SIEM systems

  • Compliance reporting

Security Best Practices

1. Credential Management

DO:

  • ✅ Use secret managers (Vault, AWS, GCP)

  • ✅ Rotate credentials regularly

  • ✅ Use strong passwords (12+ characters)

  • ✅ Enable MFA for admin accounts

DON’T:

  • ❌ Hardcode credentials in configs

  • ❌ Store passwords in plain text

  • ❌ Commit secrets to Git

  • ❌ Share admin credentials

2. Network Security

DO:

  • ✅ Use private networks for platform components

  • ✅ Enable TLS/HTTPS everywhere

  • ✅ Restrict database access to the platform only

  • ✅ Use VPN for remote access

DON’T:

  • ❌ Expose backend to public internet

  • ❌ Allow unencrypted database connections

  • ❌ Use default ports without firewall

  • ❌ Disable SSL certificate verification

3. Access Control

DO:

  • ✅ Implement RBAC

  • ✅ Use least privilege principle

  • ✅ Regular access reviews

  • ✅ Disable inactive accounts

DON’T:

  • ❌ Give everyone admin access

  • ❌ Share user accounts

  • ❌ Skip authentication for "internal" systems

  • ❌ Grant permanent access tokens

4. Data Handling

DO:

  • ✅ Use read-only mode for source databases

  • ✅ Validate output data

  • ✅ Test on small datasets first

  • ✅ Document data transformations

DON’T:

  • ❌ Mix production and test environments

  • ❌ Copy production data without masking

  • ❌ Skip referential integrity validation

  • ❌ Bypass data classification

Compliance Features

GDPR Compliance

The platform helps with GDPR compliance:

Right to Erasure:

  • Delete or mask personal data

  • Irreversible transformations

  • Audit trail of deletions

Data Minimization:

  • Subsetting reduces data volume

  • Only necessary data copied

  • Automated data cleanup

Data Portability:

  • Export data in standard formats

  • CSV, JSON generation

  • Database-to-database transfers

HIPAA Compliance

For healthcare data:

De-identification:

  • Mask all 18 HIPAA identifiers

  • Safe Harbor method support

  • Statistical de-identification

Access Controls:

  • RBAC for PHI access

  • Audit logs for compliance

  • Encryption at rest and in transit

SOC 2 Compliance

For service organizations:

Security Controls:

  • Access controls (RBAC)

  • Encryption (TLS, database)

  • Change management (version control)

  • Monitoring and alerting

Availability Controls:

  • High availability (Kubernetes)

  • Backup and recovery

  • Disaster recovery

Security Hardening

Production Deployment Checklist

  • Change all default passwords

  • Configure SSO or LDAP

  • Enable HTTPS with valid certificates

  • Set up secret manager integration

  • Configure RBAC roles and permissions

  • Enable audit logging

  • Restrict network access

  • Set up monitoring and alerting

  • Regular security updates

  • Backup and disaster recovery plan

Environment-Specific Settings

Development:

  • Local authentication acceptable

  • Less strict network rules

  • Shorter log retention

Staging:

  • Mirror production security

  • Test security configs

  • Validate access controls

Production:

  • Strictest security controls

  • SSO/LDAP required

  • Full audit logging

  • Secret manager integration

  • Network isolation

  • Regular security audits

Vulnerability Management

Keeping the Platform Secure

  1. Regular Updates:

    • Update the platform to latest version

    • Security patches applied promptly

    • Review release notes

See: Updating the Platform

  1. Dependency Scanning:

    • Platform images scanned for vulnerabilities

    • CVE tracking and remediation

    • Third-party library updates

  2. Security Monitoring:

    • Monitor for suspicious activity

    • Alert on failed authentication attempts

    • Track unusual data access patterns

Incident Response

If security incident occurs:

  1. Isolate: Disconnect affected systems

  2. Assess: Determine scope and impact

  3. Contain: Prevent further damage

  4. Eradicate: Remove threat

  5. Recover: Restore normal operations

  6. Review: Post-incident analysis

Contacts:

  • Review audit logs

  • Check user activity

  • Verify data integrity

  • Document incident

Security Resources

Internal Documentation

External Resources

  • OWASP Top 10

  • NIST Cybersecurity Framework

  • CIS Benchmarks

  • GDPR Guidelines

  • HIPAA Security Rule

Security Checklist Summary

Authentication: ✓ SSO/LDAP configured Authorization: ✓ RBAC enabled Encryption: ✓ TLS everywhere Secrets: ✓ Secret manager integrated Audit: ✓ Logging enabled Network: ✓ Firewall configured Updates: ✓ Patch management process Monitoring: ✓ Alerts configured Backup: ✓ DR plan tested Training: ✓ Team security aware

Get Help

For security questions: