Security | askotter

/// principles

Security is architecture, not a feature.

These aren't bolted-on controls. They're foundational decisions made before the first line of code was written.

◎

Zero-Trust Architecture

Every API request validated against IDP signing certificates before any business logic executes. No implicit trust.

⚷

Passkey-First Auth

MFA or passkey required for all accounts. No password-only login permitted. Phishing-resistant by design.

▣

Tenant Isolation

Agent flows and data strictly scoped per customer. Per-tenant isolated server-side execution with no cross-tenant data leakage.

◆

Defense-in-Depth

Data encrypted in transit (TLS 1.3) and at rest (column-level + TDE + AES-256). Multiple independent layers.

/// transport security

All data encrypted in transit. No exceptions.

Every connection between clients, services, and infrastructure is encrypted with modern protocols.

PROTOCOLS

✓ TLS 1.3 preferred, TLS 1.2 enforced on all endpoints
✓ TLS 1.1, 1.0, SSL 3.0/2.0 all disabled
✓ HSTS enforced on all public-facing endpoints
✓ Automated TLS certificate renewal from trusted CAs

CIPHER SUITES

✓ AEAD-only: AES-256-GCM, ChaCha20-Poly1305
✓ Weak and legacy cipher suites denied
✓ Perfect Forward Secrecy via ECDHE key exchange
✓ Client-facing and service-to-service paths encrypted

/// identity & authentication

Enterprise-grade identity. Dual-certificate validation.

Built on OpenID Connect and OAuth 2.0 with dedicated X.509 certificates for token signing and encryption.

Identity Provider

Enterprise-grade IDP built on OIDC and OAuth 2.0. Dedicated X.509 RSA certificates (2048-bit+) for token signing and encryption. Separate certificates for each purpose.

Browser Clients

OAuth 2.0 Authorization Code Flow with PKCE for the React application. Short-lived access tokens with enforced refresh token rotation and replay attack prevention.

Machine-to-Machine

Client Credentials Grant for device-to-device API calls. API keys hashed one-way, stored in encrypted SQL Server columns, never in logs or responses.

/// mfa & passkeys

Passkey-first. No password-only access.

Every account requires MFA or a passkey. No bypass mechanisms. Phishing-resistant authentication by default.

PREFERRED

Passkeys (WebAuthn / FIDO2)

Phishing-resistant, device-bound credentials. Required for admin and privileged accounts.

SUPPORTED

TOTP Authenticator Apps

Time-based one-time passwords from any standard authenticator application.

SUPPORTED

Hardware Security Keys

YubiKey and other FIDO2 hardware keys. Required for admin/privileged accounts alongside passkeys.

ENFORCED

No Bypass Mechanisms

No MFA bypass available to end users. Account recovery maintains equivalent security assurance.

/// platform architecture

Hybrid cloud. Hardened at every layer.

Azure for front-end web, identity, and API. AWS Redshift for data lake and compute. All inter-service paths encrypted and authenticated end-to-end.

◻ React App

⚷ IDP

◎ Web API

◆

DATA LAKE

AWS Redshift · VPC

◎ Agents

▽ Flow Engine

AZURE · FRONT-END, IDP, API

✓ Azure App Service with managed TLS and auto-rotation
✓ Azure WAF + DDoS Protection on all internet-facing resources
✓ Secrets and certificates in Azure Key Vault. Never in source code
✓ Network Security Groups restrict lateral movement

AWS REDSHIFT · DATA LAKE

✓ EC2 instances in private VPC. No public IPs
✓ Single purpose-built WebAPI as only external surface
✓ Security Groups restrict inbound to known askotter egress IPs
✓ VPC Flow Logs + CloudTrail enabled

/// agent security

Self-healing agents. Isolated execution. Secrets never exposed.

Agent flows execute server-side with per-tenant isolation. Credentials are injected at runtime and never returned to client or logged.

Tenant Isolation & Human Oversight

Per-tenant isolated server-side execution with no cross-tenant data leakage. External integrations (API, web scrape, CSV, plugins) execute server-side. Credentials never exposed to the browser.

Secrets Management

API secrets stored encrypted in secure vaults or Always Encrypted SQL columns. Injected at runtime, never returned to client or logged. AI analysis nodes operate in-memory. No sensitive data persisted beyond flow lifecycle.

/// encryption at rest

Defense-in-depth. Multiple encryption layers.

Your data is encrypted at rest with multiple independent layers: column-level, full-database, and volume-level encryption combined.

Column-Level Encryption

Always Encrypted column-level encryption. Keys never exposed to the database engine. Decryption only occurs in the application layer.

Transparent Data Encryption

SQL Server TDE as an additional full-database encryption layer. Combined with column-level encryption for defense-in-depth.

Volume & Backup Encryption

AWS EBS volumes encrypted with AES-256. All backups encrypted at rest. No unencrypted data at any layer.

/// best practices

Secure development. Continuous monitoring. Shared learning.

Security is embedded in our development workflow, not bolted on after the fact.

✓ Server-side input validation and parameterized queries only
✓ Least privilege permissions per service account
✓ NuGet/npm CVE scanning in CI/CD pipeline
✓ Automated SAST in development workflow

✓ Centralized logging with anomaly detection
✓ Internal errors never surfaced in API responses
✓ Short-lived tokens with logout invalidation across clients
✓ Certificate lifecycle monitoring and documented rotation

/// compliance

Standards-aligned. Independently tested.

Our security posture is informed by industry frameworks and validated through third-party testing.

FRAMEWORKS

✓ OWASP Top 10
✓ NIST SP 800-53
✓ CIS Benchmarks

TESTING & PATCHING

✓ Third-party penetration testing program
✓ OS/runtime patches monthly; critical patches within 72 hours
✓ Responsible disclosure policy maintained

Enterprise-grade security. Zero-trust by design.