Legal

Security

How Exlogare protects your pipeline data, credentials, and account.

Reporting a vulnerability

Please email security@exlogare.net with a proof-of-concept and reproduction steps. We acknowledge within one business day and keep you updated until remediation ships. We don't operate a bug bounty yet, but we gladly credit researchers in our security advisories.

Your data

Raw pipeline logs are processed strictly in memory by our analysis layer and discarded at the end of the job. They are never persisted to our database.
Our redaction layer strips JWTs, AWS keys, GitLab tokens, basic-auth URLs, and other high-entropy secrets before any analysis runs.
Integration tokens, webhook secrets, and OAuth credentials are encrypted at rest with symmetric keys rotated on a defined schedule.

Transport and sessions

Every public endpoint is served over TLS 1.2+ with modern cipher suites. Session cookies are HttpOnly, Secure, and SameSite=Lax. State-changing API calls require a double-submit CSRF token.

Tenant isolation

Each tenant is scoped by UUID at the database layer. Every query in the API and worker is filtered by the caller's tenant; cross-tenant access is blocked at the ORM boundary, not relied on at the UI.

Infrastructure

Production runs in isolated containers with least-privilege service accounts. Secrets are injected at deploy time from a vault — never committed to the repository. Database backups are encrypted and rotated daily.

Compliance roadmap

We align engineering practices with SOC 2 Type I controls today and are tracking toward an external audit. GDPR and Russian Law 152-FZ are in scope for the managed SaaS.

Security contacts

General security questions, procurement reviews, and vulnerability reports: security@exlogare.net. Privacy questions: privacy@exlogare.net.