Centiloquy Application Security Measures

The Centiloquy core application employs the following measures to protect against bad actors and secure the platform for use in production.
The core application has also been pen tested for common web application vulnerabilities (e.g., OWASP Top 10 vulnerabilities such as cross-site scripting (XSS), SQL injection, broken authentication).

1. Application Security•
Input Validation: All APIs implement strict input validation to prevent common injection attacks such as SQL injection and XSS.
‍Authentication and Authorization:
‍The platform uses secure authentication mechanisms (OAuth 2.0, JWT tokens) with role-based access control (RBAC) to ensure that only authorized users can access specific workflows and data that belong to them.
Password Security:
User passwords and credentials are hashed using industry-standard algorithms (e.g., bcrypt & crypto JS) and never stored in plaintext when being saved to the database.
‍
2. Data Security
Data Encryption: All sensitive data is encrypted both at rest and in transit using strong encryption protocols (AES-256 for data at rest and TLS 1.2+ for data in transit).
Secure APIs: All API endpoints are secured using HTTPS and are protected against common attacks such as brute-force attacks and DDoS.

3. Container Security
Image Scanning:
Docker images can be scanned for known vulnerabilities using tools like Aqua Security or Clair. Only approved and scanned images are deployed to production environments.
Runtime Security:
Containers are run with restricted permissions (using Docker's --user flag) to minimize the attack surface.
Secrets Management:
Sensitive data such as API keys or database credentials are managed securely through environment variables using Docker Secrets or Kubernetes Secrets and are never hardcoded into the application.

4. Infrastructure Security
Network Segmentation:
When deployed in production, deployments should make use of network policies to isolate different services within the Docker/Kubernetes environment, ensuring that only necessary services can communicate with each other.
Firewall & IDS/IPS:
‍Firewalls and intrusion detection/prevention systems (IDS/IPS) should be used where possible to detect and prevent unauthorized access to our infrastructure.

Data Protection Compliance (GDPR)
‍Centiloquy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We store only minimal cookies in the client to enable things like persistent sign in. Any data collected can be accessed, managed or deleted by the user. There are Admin APIs to delete accounts and all data associated with each account on demand when requested by the user.

Centiloquy implements measures to protect data from unauthorized access, including encryption and regular security audits.