Security & Trust
Security is a foundational design constraint of the Naburis platform, not an afterthought. This page describes the controls, architecture, and processes that protect customer data across every product.
Security contact: security@naburis.cloud
Authentication & SSO
Section titled “Authentication & SSO”Naburis provides a centralized OIDC identity provider, self-hosted within the platform boundary.
| Capability | Detail |
|---|---|
| Protocol | OpenID Connect 1.0 / OAuth 2.0 |
| Browser apps | Authorization Code + PKCE |
| Machine-to-machine | Client Credentials grant or Personal Access Tokens |
| Token format | JWT (RS256), verified against JWKS endpoint |
| Token verification | Every service independently validates JWTs — no shared session state |
| SSO federation | Any OIDC-compatible identity provider can federate via the platform’s IdP |
| Session management | Short-lived access tokens with refresh token rotation |
Custom JWT claims carry platform context (tenant, plan, and product entitlements), enabling products to enforce plan-specific behavior without additional lookups. See Authentication for integration details.
Authorization & RBAC
Section titled “Authorization & RBAC”Authorization is enforced with a deny-by-default policy — if the policy engine is unreachable, the request is denied (HTTP 503), not silently allowed.
Access tiers:
| Tier | Scope | How |
|---|---|---|
| Platform Admin | Identity, billing, customer management | Scoped admin roles, API keys |
| Product User | Per-product data and APIs | OIDC JWT with product-specific claims, workspace-scoped headers |
Each API request is scoped by three mandatory headers — X-Tenant-ID,
X-Workspace-ID, and X-Context-ID — verified against JWT claims before reaching
any product service.
Audit Logging
Section titled “Audit Logging”Every API request is logged with both the service identity (which service made the call) and the delegated user identity (on whose behalf).
| Event type | Retention |
|---|---|
| API requests | 30 days |
| Authentication events | Per identity provider policy |
| Configuration changes | 30 days |
Tenancy & Data Isolation
Section titled “Tenancy & Data Isolation”Naburis enforces logical tenant isolation at every layer of the stack:
| Layer | Isolation mechanism |
|---|---|
| API gateway | Mandatory scope headers validated against JWT |
| Database | Per-product database roles — no cross-database access permitted |
| Cache | Namespaced key isolation with access control per product |
| Knowledge graph | Graph-level isolation; each tenant’s data lives in distinct graphs |
| Object storage | Per-product bucket isolation |
Tenant identifiers propagate from the JWT through every service boundary. A request cannot access data outside its tenant/workspace scope.
Data Handling & Privacy
Section titled “Data Handling & Privacy”| Topic | Detail |
|---|---|
| Data residency | EU by default; configurable per deployment |
| Encryption in transit | TLS 1.2+ on all endpoints, automated certificate management |
| Encryption at rest | Database volume-level encryption; secrets encrypted before storage |
| Data export (GDPR Art. 20) | Full data portability via Export service — CSV, JSON, or Parquet format |
| Right to erasure (GDPR Art. 17) | Hard-delete capability removes data from all stores, including downstream projections |
| Soft-delete default | Records are tombstoned, recoverable within retention window; only GDPR erasure requests trigger permanent deletion |
| CORS | Production origins must be explicitly listed — wildcard origins are not permitted when credentials are in use |
Secrets Management
Section titled “Secrets Management”No plaintext secrets are stored in version control.
| Control | Detail |
|---|---|
| Encryption at rest | Secrets encrypted before commit, decrypted at deploy time |
| Rotation | Regular rotation schedules for database credentials, master keys, and SSH keys |
| Automated rotation | Tooling generates, updates, restarts, and verifies in a single run |
| Service-to-service auth | Machine users with rotatable tokens — no static secrets in application configuration |
Backups & Recovery
Section titled “Backups & Recovery”| Aspect | Detail |
|---|---|
| Schedule | Daily automated backups |
| Scope | Databases, application volumes, platform configuration |
| Retention | 30 days on-host |
| Off-host replication | Encrypted sync to cloud object storage |
| Monitoring | Alert fires if no successful backup within the expected window |
| Restore procedures | Documented and tested: full-server, database-only, and volume-only restore |
Deployment & Infrastructure
Section titled “Deployment & Infrastructure”| Control | Detail |
|---|---|
| Host OS | LTS Linux with unattended security updates |
| Containerization | All application code runs in containers with resource limits |
| SSH access | Key-only authentication, password login disabled |
| Infrastructure-as-code | Every deployment is repeatable and auditable |
| Policy gates | All configurations validated before deploy |
| Container policy | No privileged containers, resource limits required, restart policies mandatory |
| Vulnerability scanning | Container images scanned for critical and high-severity CVEs; builds blocked on findings |
| Reverse proxy | Automatic HTTPS, security headers (HSTS, CSP, X-Content-Type-Options), multi-layer rate limiting |
Incident Response
Section titled “Incident Response”Naburis follows a structured incident response process with defined severity levels and escalation procedures. Response times and procedures are documented internally and reviewed regularly. For urgent security matters, contact security@naburis.cloud.
Compliance Posture
Section titled “Compliance Posture”Naburis is not yet SOC 2 or ISO 27001 certified. We believe transparency about our current controls is more valuable than vague compliance claims:
Controls in place today:
- ✓ Encryption at rest and in transit (TLS 1.2+)
- ✓ OIDC-based authentication with MFA support
- ✓ Role-based access control with deny-by-default policy enforcement
- ✓ Audit logging with delegated identity attribution
- ✓ Automated daily backups with off-host replication and monitoring
- ✓ Vulnerability scanning on every container image
- ✓ Secret rotation schedules with automated tooling
- ✓ Incident response process with severity classification
- ✓ GDPR data export and right-to-erasure support
- ✓ Infrastructure-as-code with policy-gated deployments
Formal compliance certification is on our roadmap. If you have specific compliance requirements, contact us at security@naburis.cloud.