Loading…
Loading…
Security is a design constraint in this product, not an add-on. The platform is built to run inside your own infrastructure, expose no public endpoint, keep…
Security is a design constraint in this product, not an add-on. The platform is built to run inside your own infrastructure, expose no public endpoint, keep customer traffic and payloads in your VPC, and account for every configuration change. This page is the map; each topic links to its detail page.
The control plane, runtime, worker, and database all run inside your own network. Your SOAP traffic, request/response payloads, archives, learned examples, and the entire metadata database stay in your infrastructure. The only outbound communication is a minimal, metadata-only signal to the Specaria platform for licensing and updates — never your payloads, hostnames, or consumer identifiers. See Network & data residency and the licensing egress allow-list.
Both the runtime and admin services run with internal-only ingress by default. There is no public URL. Access is mediated through your network's internal load balancer and an identity-aware proxy. See Network & data residency.
Three roles — admin, operator, reader — are enforced across every control-plane endpoint. Role assignment resolves from your IdP groups, from direct in-app principal bindings, or from an emergency bootstrap list, so you are never locked out and never dependent on a single external system to grant access. See RBAC & roles.
Operator access flows through an identity-aware proxy that injects an authenticated user identity. At GA the supported identity surfaces include Google IAP, Azure AD, and standard SAML / OIDC. Additional providers are on the roadmap. See Authentication.
Backend connection credentials (basic, bearer, API-key header, OAuth2 client-credentials, and mutual-TLS material) are stored encrypted at rest using pgcrypto. Plaintext credential values are never returned in API responses and never written to logs — the API only ever exposes metadata such as "is a credential set, and when was it last updated." See Backend credential encryption.
Every configuration change is recorded as an audit event: who did it (actor and role), what action, and the before/after state — with a correlation ID. This is retained for 60 days by default and is queryable from the UI. See the audit trail and data retention.
The product talks outbound only, over HTTPS, to the Specaria platform — and sends only numeric counts, versions, a hashed host fingerprint, an installation ID, a customer label, and a contact email. It never sends payloads, hostnames, consumer identifiers, or PII. See the egress allow-list.
Note on licensing telemetry. The integration with the central Specaria platform — JWKS-verified licensing, heartbeat telemetry, update notifications, and feedback — sends metadata only (no payloads, no PII). The security properties above (no public endpoint, in-VPC data, RBAC, encrypted credentials, audit) hold independent of that integration. See Licensing for the details.
| Concern | How the platform addresses it | Detail | |---|---|---| | Data residency | Everything runs in your VPC; payloads never leave | Network | | Network exposure | No public endpoint; internal-only ingress by default | Network | | Access control | RBAC mapped from your IdP / in-app bindings / bootstrap | RBAC | | Authentication | Identity-aware proxy; IAP / Azure AD / SAML / OIDC at GA | Authentication | | Secrets | Backend credentials encrypted at rest, never logged | Credentials | | Database auth | IAM database authentication on Google Cloud | Network | | Accountability | Full audit trail with actor, action, before/after | Audit | | Retention | 60-day default, configurable | Data retention | | Vendor data exposure | Outbound-only, numeric/metadata telemetry; no PII, no payloads | Egress allow-list |