Security Review

YesIs SSO supported?

Google OAuth 2.0 (OIDC) for self-serve users. SAML 2.0 for Enterprise customers — supports Microsoft Entra ID, Okta, Ping Identity, ADFS, and any other SAML 2.0-compliant IdP. Per-tenant config via admin console; IdP metadata pasted once, users federated immediately.

YesIs MFA supported?

MFA is enforced by your IdP (for SSO/SAML users) or by Google (for OAuth users). We inherit whatever MFA / conditional access your organization has configured — we don't override it. Magic-link email codes act as a proof-of-email factor for users without an IdP.

YesIs role-based access control enforced?

Workspace-level RBAC with three roles: owner, editor, viewer. Owners manage membership and destructive actions (archive / clone / delete); editors can submit work and review; viewers are read-only. Enforced at the route decorator layer and again in the service layer.

YesAre passwords stored on your side?

No. We don't store passwords at all. Authentication is via Google OAuth, SAML federation, or magic-link email codes — none of these involve a password on our side.

YesIs session management secure?

Server-side sessions via Flask-Session, HttpOnly + Secure cookies, 30-minute server-enforced idle timeout. Session invalidation on password change or role revocation propagates immediately (no stale-session risk).

YesAre programmatic API credentials scoped and rotatable?

Bearer tokens (jvx_<env>_<32-hex>) with scopes, 90-day default expiry, immediate revocation via self-serve UI. Max 5 active per user. Tokens are SHA-256 hashed at rest — we can't recover one if you lose it.

YesWhat data do you collect?

Artifacts you upload (SQL, code, workflows) for the purpose of converting them. Metadata about your account (email, plan, usage counts). Audit events for security / compliance. We do not collect analytics on what's inside your code.

YesIs data deleted on account closure?

Yes. Account deletion triggers a 30-day soft-delete (so accidental deletes are recoverable), then permanent purge from all live systems. Backups are retained per our 30-day window and then purged on the regular retention cycle. Documented in our Privacy Policy.

YesDo you use customer data to train AI models?

No. Customer code / SQL / workflows are used solely to produce the conversion outputs you requested. Nothing is used for model training — ours, Anthropic's, or OpenAI's. Anthropic and OpenAI both operate under enterprise API agreements that prohibit training on submitted data.

YesHow long are uploaded artifacts retained?

For the lifetime of the batch / project, plus 90 days post-completion to allow re-download. After 90 days, source artifacts are automatically purged from GCS; conversion results remain in your dashboard until you delete them.

YesIs data encrypted in transit?

TLS 1.2+ everywhere. HSTS enabled. Internal service-to-service traffic also TLS-protected via Google's managed envelope. No plaintext endpoints exposed.

YesIs data encrypted at rest?

AES-256 via Google Cloud defaults for GCS (source artifacts, outputs) and Firestore (metadata, audit events). Keys rotated automatically by Google KMS. CMEK (customer-managed encryption keys) available for Enterprise customers with KMS integration requirements — contact sales.

YesAre credentials and secrets encrypted at rest?

API tokens and magic-link codes are SHA-256 hashed with per-row salt before storage — they're never stored in plaintext. OAuth secrets and IdP signing certs are stored in Google Secret Manager (AES-256 encrypted, IAM-gated).

YesWhat cloud platform do you run on?

Google Cloud Platform, project jfd-01-platform, region us-central1. Core services: Cloud Run (compute), Firestore (metadata), Cloud Storage (artifacts), Cloud Tasks (async jobs), Secret Manager (credentials).

YesIs the architecture multi-tenant?

Yes — a single shared-infrastructure deployment with strong row-level isolation in Firestore and folder-level isolation in GCS. Every query is scoped to the authenticated user's email / workspace. No cross-tenant data leakage possible by design.

YesIs there a public / admin separation?

Yes. /admin/* routes require admin-group membership, enforced at decorator level. Admin actions are audit-logged with an admin.* event category for clear separation from customer actions.

YesAre DDoS protections in place?

Google Cloud provides baseline DDoS protection (Cloud Armor) at the load balancer layer. Route-level rate limiting on auth endpoints (magic-link: 3 tokens per email / 15 min; verify: 5 attempts per token).

YesAre privileged actions audit-logged?

Every privileged action is written to audit_events with a SOC 2-aligned schema: actor email, subject, workspace, timestamp, IP address, user agent, event category (auth / access / data / billing / admin / export / review / security). CSV export available to admins.

YesHow long are audit logs retained?

audit_events retained for 365 days at minimum. Enterprise customers can request extended retention via support.

YesAre logs tamper-resistant?

Logs are append-only from the application layer — no update or delete paths exposed. Underlying Firestore has its own point-in-time recovery and immutable audit trail at the GCP layer.

YesCan logs be exported for SIEM integration?

CSV export today via /admin/audit-log-soc2/export.csv. Streaming API / webhook export on the roadmap for Enterprise customers who need real-time SIEM ingestion.

YesDo you have a written incident response plan?

Yes. Severity tiers (Sev-1 / Sev-2 / Sev-3), on-call rotation, status-page publishing within 15 minutes of Sev-1 detection, post-mortem within 7 days. Plan is shared with Enterprise customers under NDA.

YesHow quickly do you notify customers of a breach?

Within 72 hours of confirmation, as required by GDPR Article 33. Notification is direct email to the account owner — not just a dashboard update. Enterprise customers receive additional phone/Slack channels on request.

YesIs a public status page available?

Yes — gojarvisx.ai/status. Real-time component health, 30-day incident history, uptime percentage. No login required; anyone can check.

YesAre backups in place?

Firestore has point-in-time recovery (7 days) + nightly scheduled exports to GCS (30-day retention). GCS buckets have object versioning enabled — accidental deletes recoverable within 30 days.

YesIs there a disaster recovery plan?

RTO: 4 hours. RPO: 1 hour. DR runbook is tested quarterly. Details shared with Enterprise customers under NDA.

YesAre employees background-checked?

All employees with production access pass a background check before being granted credentials. Contractors are granted time-boxed access only and audited.

YesIs security training mandatory?

All engineers complete security awareness training on hire and annually thereafter. Training covers OWASP Top 10, data handling, social engineering, and our incident response plan.

YesIs production access tightly controlled?

Production access is limited to the on-call engineer for the current rotation. Access is granted just-in-time via short-lived IAM roles, audit-logged, and requires MFA.

YesIs code reviewed before deployment?

All changes merged via pull request with at least one reviewer. CI runs automated tests on every PR; deploy-to-prod requires successful build + human approval.

YesAre dependencies scanned for vulnerabilities?

GitHub Dependabot monitors requirements.txt and package.json for known CVEs. High/Critical CVEs are patched within 7 days.

YesIs there feature-flag gating for risky changes?

Yes. Every significant feature ships behind a feature flag (e.g. WORKSPACES_ENABLED, API_TOKENS_ENABLED, SAML_SSO_ENABLED) so we can kill-switch a feature without a redeploy if it misbehaves.

YesIs your sub-processor list public?

Yes — see the Trust Center. We list every vendor, their purpose, and the data types they process.

YesDo you notify customers of sub-processor changes?

Enterprise customers receive 30 days' notice by email of any material addition or change to sub-processors, with the right to object per our DPA.

YesAre you GDPR-compliant?

Yes. DPA available under Article 28. SCCs included for cross-border transfers. Data subject rights (access, deletion, portability) supported via self-serve account tools.

YesIs a DPA available?

Yes — GDPR Article 28 compliant DPA with SCCs. Standard template is sent at onboarding for Enterprise customers; can be executed pre-signup for procurement pipelines.

YesWhere is the Privacy Policy?

Public and versioned at gojarvisx.ai/privacy. Material changes are announced to users via email 30 days in advance.

YesAre you CCPA-ready?

Yes. California residents can exercise access / deletion rights via self-serve account tools or by emailing privacy@gojarvisx.ai. We do not sell personal information under the CCPA definition.