Security at Viatoris
How we protect your data and your agents' integrity.
1. Architecture Overview
- 4 microservices (Identity, Receipts, Reputation, Compliance) sharing one PostgreSQL database
- Next.js dashboard on Vercel
- All API traffic proxied through Cloudflare WAF
- Services hosted on Railway (US region)
2. Encryption
In Transit
- TLS 1.2+ enforced on all connections
- HSTS enabled with Helmet
In Application
- Ed25519 (EdDSA) signatures on all agent actions and receipts
- AES-256-GCM encryption for stored API keys
- HMAC-SHA256 for email verification and magic link tokens
- bcrypt (12 rounds) for password hashing
3. Authentication & Access Control
- JWT session tokens (HS256, httpOnly, Secure, SameSite cookies)
- API key authentication (SHA-256 hashed, never stored in plaintext)
- Google OAuth 2.0 with CSRF state validation
- Per-email brute force protection (5 attempts / 15 minutes)
- Session invalidation on password change, suspension, and deactivation
- Role-based access control (Owner / Admin / Member)
- Admin actions require step-up authentication with short-lived sessions
4. Tenant Isolation
- PostgreSQL Row-Level Security (RLS) with 20+ policies
- Every query scoped to the authenticated organization's DID
- Minimal-privilege database role (
app_service) — no superuser access from application code - DID format validation as defense-in-depth against injection
- Internal service-to-service requests use a separate authentication token with explicit RLS bypass
5. Audit Trail
- Append-only audit log — no delete operations exposed
- Every agent action recorded as a cryptographically signed receipt (EdDSA)
- Countersignature verification on receipt submission
- Receipt hash integrity verification
- Tamper-evident: modifying a receipt invalidates its signature
6. API Security
- Rate limiting with Redis (per-key and per-IP), in-memory fallback if Redis is unavailable
- Request validation on all inputs (Zod schemas with maximum field lengths)
- SSRF protection on webhook delivery (blocks private IPs, cloud metadata endpoints, internal domains)
- CORS restricted to known origins
- Structured JSON logging with server-generated request IDs (client IDs ignored)
7. Infrastructure
- Cloudflare WAF and DDoS protection
- Monitoring via Sentry (error tracking, PII stripped) and UptimeRobot (uptime monitoring)
- Non-root Docker containers
- Environment variable validation at startup (fail-fast)
- Credentials rotated regularly; secrets never stored in git history
8. Email Security
- SPF, DKIM, and DMARC configured
- Transactional email via Resend (
noreply@viatoris.ai)
9. Subprocessors
The third-party service providers we rely on to operate the Viatoris platform:
| Provider | Purpose | Location |
|---|---|---|
| Railway | Application hosting, PostgreSQL, Redis | US |
| Vercel | Dashboard hosting | US |
| Cloudflare | DNS, WAF, DDoS protection | Global |
| Stripe | Payment processing | US |
| Resend | Transactional email | US |
| Sentry | Error monitoring (PII stripped) | US |
| OAuth authentication | US |
10. Compliance
Viatoris is designed to support SOC 2-aligned environments. We are not currently SOC 2 certified.
Our architecture supports organizations operating under HIPAA, GDPR, and AI Act requirements. Contact us at security@viatoris.ai to discuss your specific compliance needs.
For details on what data we collect and how it's handled, see our Privacy Policy and Terms of Service.
11. Reporting Security Issues
If you discover a security vulnerability, please report it to security@viatoris.ai.
We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.
We do not currently operate a bug bounty program.
Machine-readable contact information is available at /.well-known/security.txt.
Last updated: April 2026