Security at datorra
Security is foundational to how we build and operate our platform. Every layer of our architecture is designed with defense in depth, least privilege access, and continuous monitoring.
Compliance
How we protect your data
Our multi-tier, defense-in-depth architecture ensures your data is protected at every stage — from authentication through to storage and access.
Authentication
All user authentication is handled through a SOC 2 Type II certified identity platform. We never store passwords or manage credentials directly.
- OAuth 2.0 / OpenID Connect with RSA-signed JWTs
- Multi-factor authentication support
- Brute force and credential stuffing protection
- Cryptographic token validation on every request
Access control
A centralized authorization service enforces role-based access control across all API endpoints and data resources.
- Hierarchical RBAC with five role tiers
- Organization-level tenant isolation
- Per-dataset granular read permissions
- Schema-level allowlists for query access
Encryption
All data is encrypted both in transit and at rest using modern cryptographic standards.
- TLS 1.2+ enforced on all external and database connections
- Secrets stored in a hardware-backed vault with purge protection
- Envelope encryption for dynamic credentials (AES-GCM + RSA-OAEP-256)
- Automatic secret rotation with configurable intervals
Network security
All services run within a private cluster behind multiple security boundaries. No service is directly reachable from the public internet.
- Private compute cluster with internal load balancing
- Web Application Firewall (WAF) on all public traffic
- Default-deny network policies with explicit allowlists
- Namespace isolation with independent network boundaries
Application security
Multi-layered input validation and query safety controls protect against injection attacks and unauthorized data access.
- AST-based SQL query parsing with structural validation
- Parameterized queries with identifier escaping — no string concatenation
- Read-only enforcement at the parser level
- System schema protection and schema-level access control
API security
All endpoints are protected by rate limiting, strict CORS policies, and sanitized error handling.
- Per-tenant and global rate limiting with Retry-After headers
- Strict origin allowlists in production
- Sensitive patterns redacted from all responses
- RFC 7807 structured error responses
Infrastructure hardening
Our container orchestration platform enforces strict security standards at the pod, container, and service level.
- Non-root execution with all capabilities dropped
- Privilege escalation disabled with seccomp profiles enforced
- Dedicated service accounts with cloud IAM role binding
- Resource limits enforced to prevent exhaustion attacks
Monitoring and logging
Centralized observability across all services enables rapid detection and response to security events.
- Structured, centralized logging with distributed tracing
- Automated alerting for failures and anomalies
- Authentication and authorization events logged with full context
- End-to-end request correlation for incident investigation
Secure development lifecycle
Security is integrated into every stage of our development process, from code to deployment.
- Static analysis (SAST) and dependency scanning on every pull request
- Automated secret detection in source code
- Container image vulnerability scanning
- Infrastructure-as-code security validation
Multi-tenant isolation
Every customer's data is isolated at the authorization, cache, and database connection layer.
- Organization-scoped data access enforced at every layer
- Cache keys scoped by tenant to prevent cross-tenant leakage
- Database connections isolated per dataset
- Default-deny access with fail-safe authorization
Reporting a vulnerability
If you discover a security vulnerability, please report it responsibly. We aim to acknowledge reports within 24 hours and will work with you to understand and resolve the issue promptly.
Email [email protected]