Security built into every layer. Not bolted on after.
Rust backend, Zero Trust architecture, cryptographic policy enforcement, and STRIDE threat models on every major component.
EU-hosted · GCP Warsaw, Poland · SOC 2 Type II 2026 · NIS2-aligned · GDPR/RODO-native
See the full system architecture →Seven foundational security principles
Each principle is enforced at the architecture level — not as optional configuration.
1. Zero Trust Architecture
Every access request verified independently. No trusted zones, no implicit grants. Identity + MFA + policy check on every session.
2. Zero Standing Privileges
Just-in-Time access with configurable TTL and automatic session expiry. No persistent privileged accounts that can be stolen.
3. Cryptographic Policy Enforcement (PBAC)
Policies signed with Ed25519. Tampered policies rejected at the Policy Decision Point. All evaluation decisions logged with full context.
4. Fail-Closed by Design
100% of API endpoints mapped to explicit deny-on-failure. Authorization system unavailability = access denied — never silently permitted.
5. Complete Session Recording
Video capture + activity logs (keystrokes, commands, clipboard, file transfers). Audit-grade storage with integrity-verified tamper-evident audit trail. Vault Transit encryption.
6. Outbound-Only Connectivity
Connectors establish outbound-only tunnels (WebSocket/TLS port 443). No inbound ports. mTLS mutual authentication. Auto-renewing certificates.
7. Default-Deny Everywhere
RDP channels (clipboard, file transfer, audio, USB) blocked by default. API endpoints require valid auth. New users have zero access until explicitly assigned.
Authentication and authorization
Every identity verified. Every access governed.
| Capability | Implementation |
|---|---|
| Single Sign-On (SSO) | OIDC and SAML 2.0 via Keycloak (Google, Microsoft, custom IdP) |
| Multi-Factor Authentication | TOTP, WebAuthn (FIDO2/U2F), SMS OTP, backup codes |
| MFA Hardening | Peppered OTP hashing, constant-time comparison, per-user rate limiting, session nonce binding |
| Step-Up Authentication | Re-authentication required for billing, MFA reset, policy changes |
| RBAC | 87+ granular permissions across 19 resource types |
| PBAC | Signed policy bundles evaluated per request — fail-closed |
| JIT Access | Just-in-Time access with configurable TTL and automatic session expiry |
Data protection
Encryption at every layer. Credentials never exposed.
Data in transit
TLS 1.2+ for all external connections. mTLS for connector tunnels. Certificate-based identity with auto-renewal.
Data at rest
AES-256-GCM encryption for PII fields. Vault Transit for recordings and secrets. Envelope encryption (DEK/KEK) via OpenBao Vault.
Credential storage
OpenBao Vault with AppRole authentication. Automatic rotation. Zeroize-on-drop. Users never see the password.
Recording storage
Audit-grade storage with integrity-verified tamper-evident audit trail. Recordings encrypted with AES-256-GCM per-object keys via Vault Transit.
Network security
NGINX ModSecurity WAF with OWASP Core Rule Set. Per-user and per-IP rate limiting. Kubernetes network policies, namespace separation.
Memory-safe backend
Rust — eliminates entire classes of vulnerabilities (buffer overflow, use-after-free) at the language level. No exceptions.
STRIDE threat modeling coverage
Systematic threat analysis on every major component. 152+ threats analyzed. 28 critical risks identified and mitigated.
| Component | Threats analyzed | Critical risks | Status |
|---|---|---|---|
| Authentication & MFA | 22 | 6 | Mitigated |
| API Token Governance | 30 | 4 | Mitigated |
| Runtime Control Plane | 22 | 6 | Mitigated |
| Recording Integrity | 18 | 2 | Mitigated |
| HTTP Proxy & Web Sessions | 33 | 5 | Mitigated |
| Connector Enrollment | 15 | 3 | Mitigated |
| Vault Credential Management | 12 | 2 | Mitigated |
Secure development practices
Rust (memory-safe)
No buffer overflows, no use-after-free. Entire vulnerability classes eliminated at the compiler level.
SAST/SCA every PR
Static application security testing and dependency vulnerability scanning on every pull request.
35+ security opinions
Formal architecture security reviews for every major feature before it ships.
Ed25519 signed releases
Every distributed binary signed. Release integrity verifiable by customers before deployment.
Fail-closed matrix
100% of endpoints mapped to explicit deny-on-failure. Reviewed on every architecture change.
Parameterized queries
SQLx compile-time verified queries. No SQL injection. Type-safe API with Rust's borrow checker.
Your data stays in Poland. Always.
GCP europe-central2 (Warsaw). Audit logs, session recordings, and credentials never leave the European Union. GDPR, NIS2, and RODO compliant by design.
EU-hosted · GCP Warsaw, Poland · SOC 2 Type II 2026 · NIS2-aligned · GDPR/RODO-native