Sistava

Security Practices

Platform Security Overview

Encryption Everywhere

All customer data is encrypted in transit with TLS 1.3 and at rest with AES-256. Encryption keys are managed through dedicated key management infrastructure and rotated on a regular schedule. Internal communication between services runs over the cluster network with strict policy enforcement. No customer data ever traverses the public internet unencrypted.

Authentication and Access Control

User authentication uses industry-standard JWT cookies over HTTPS only, with passwords hashed via Argon2 and PBKDF2. Single sign-on via Google and Microsoft is supported for organizations that need it. Two-factor authentication is enforced for all administrative access. Role-based access control governs every action inside the workspace. The principle of least privilege applies to people, AI employees, and integrated tools alike. Every privileged action writes an audit log entry tied to the responsible identity.

Network and Application Hardening

The platform runs on a hardened Kubernetes environment with default-deny network policies, pod security standards, and ingress rate limiting. Container images are built from minimal base images and scanned for vulnerabilities before deployment. The application layer applies strict security headers, content security policy, and parameterized database queries throughout. Dependencies are continuously scanned for known vulnerabilities and patched on a documented timeline.

Tenant Isolation

Customer environments are isolated at every layer of the stack: database, application, cache, file storage, and workflow engine. Personal data, files, and AI conversations never cross tenant boundaries. Tenant identity is enforced by middleware on every request and by integration tests that probe for cross-tenant access. This is the most important security boundary on the platform and we treat any regression as a critical incident.

What this means for customers