Security

Encryption, 2FA, audit log, and our incident response posture.

Last updated May 12, 2026

Encryption

In transit

Everything is TLS 1.2+ end-to-end. We accept no plaintext HTTP. The marketing site, the dashboard, the API, and all webhook deliveries use HTTPS exclusively. HSTS is set with max-age=31536000; includeSubDomains; preload, and we're on the HSTS preload list.

At rest

The primary database uses encryption at rest with managed keys. On top of that, we apply application-layer encryption (AES-256-GCM) to high-sensitivity fields:

Integration credentials (WordPress application passwords, Shopify admin tokens, OAuth refresh tokens).
API key plaintexts (we store only the hash, but the brief moment of plaintext lives in encrypted memory).
Custom compliance rules' regex patterns (lower-sensitivity, but encrypted for defense-in-depth).

Application-layer keys are managed in a separate key store, rotated quarterly, and never logged.

Backups

Daily full backups with 35-day retention. Backups inherit the same encryption as primary storage and the application-layer encryption persists into them. Restoration is tested quarterly.

Authentication

Password sign-in with bcrypt (cost 12) hashing.
Google OAuth as an alternative.
TOTP MFA (Google Authenticator, 1Password, Authy, etc.) with recovery codes.
WebAuthn / passkeys in beta — enable at Settings → Security.

Sessions last 14 days idle, 30 days absolute. Concurrent sessions are listed at Settings → Security → Sessions with a one-click revoke per session.

Authorization

Role-based access control with five workspace roles: Owner, Admin, Editor, Reviewer, Viewer. Every API request is authorised against the active token's scopes and the actor's workspace role.

Cross-workspace data leakage is prevented at the query layer: every query takes an explicit organizationId parameter and the database is partitioned such that omitting it produces a runtime error, not silent cross-tenant reads.

Audit log

Every meaningful action lands in the audit log. The log is append-only, with periodic integrity checks. Retention scales with plan.

Network and infrastructure

Hosted on a major cloud provider with SOC 2 Type II certification.
Web tier deployed across multiple regions; failover is automatic.
DDoS mitigation via the provider's edge network plus our application-level rate limits.
Per-region data isolation: EU sign-ups → EU; US sign-ups → US.

Vulnerability management

Dependencies scanned daily; critical CVEs patched within 48 hours.
Container images rebuilt weekly.
Internal pen testing twice a year; external pen testing annually.
Bug bounty program for in-scope findings (see /security/disclosure).

Incident response

If we suspect a security incident:

On-call engineer triages within minutes.
Severity classified (P0 to P3) within 30 minutes.
P0 (active exploit, data exposure) triggers customer notice within 24 hours.
P1 (significant risk, no confirmed exposure) triggers notice within 72 hours.
Post-incident review is published publicly within 14 days for any P0 or P1.

GDPR breach notification (within 72 hours of awareness) is honoured for all in-scope events. See GDPR.

Supplier security

We use a minimal set of sub-processors (Stripe, our cloud host, our email vendor). Each is reviewed annually:

Are they SOC 2 Type II or equivalent?
Are they GDPR-compliant?
Do they pass our questionnaire?

The current list is at /legal/subprocessors. Change notice 30 days in advance.

What to do if you spot something

Email security@aidomination.app with details. We respond within 24 business hours. We do not retaliate against good-faith security research — see our vulnerability disclosure policy for safe-harbor language.