Security is core to authority infrastructure. This page summarizes technical and organizational measures we apply to the Auctra console, API, and supporting systems.
1. Infrastructure
- Production workloads run on managed cloud infrastructure with encryption in transit (TLS 1.2+).
- Database connections use encrypted channels and least-privilege credentials.
- Secrets and API keys are stored hashed; raw API keys are shown only once at creation.
2. Authentication and access
- Console authentication via industry-standard identity providers.
- Role-based access control (owner, admin, developer, reviewer, auditor) within organizations.
- Session cookies secured with HttpOnly and SameSite protections where supported.
- API access requires bearer tokens scoped to your organization.
3. Immutable audit integrity
Audit events are append-only and hash-chained: each record includes the hash of the previous event. Once written, events cannot be altered or deleted without breaking the chain and revealing tampering. Records include agent, action, policy, delegator, sponsor, approval chain, decision, and outcome.
4. Application security
- Input validation on API and server functions.
- CSRF protections for state-changing console requests.
- Dependency monitoring and regular security updates.
- Error handling that avoids leaking sensitive internals to clients.
5. Incident response
We maintain procedures to detect, contain, and notify customers of security incidents affecting personal data in accordance with applicable law. Report vulnerabilities or incidents to support@auctra.tech with subject line "Security".
6. Customer responsibilities
- Enforce least-privilege roles in your organization.
- Rotate API keys on schedule and after personnel changes.
- Configure delegations with appropriate limits and expiration.
- Do not commit secrets to source control.
7. Subprocessors
We use vetted subprocessors for hosting, authentication, email, payments, and marketing analytics. Current subprocessors:
- Supabase — Authentication, database, and encrypted data storage (United States)
- Vercel — Marketing website hosting and content delivery (United States)
- Render — Operator console, API, and application hosting (United States)
- Resend — Transactional email delivery (United States)
- Creem — Payment processing and merchant of record (Varies by transaction)
- Google Analytics — Aggregated website analytics on auctra.tech only (United States)
For privacy inquiries or DPA requests, contact privacy@auctra.tech.
8. Contact
Security inquiries: support@auctra.tech · Privacy: privacy@auctra.tech
Auctra