Security Overview

Modern security practices to protect your data and applications.

Last updated: March 2026

Centrali is an early-stage platform built with security as a core principle. We are transparent about our current controls and honest about what we are still working toward. We will never overclaim certifications or compliance badges we do not hold.

Compliance Posture & Transparency

We are not currently SOC 2 certified. We are an early-stage company and are actively building toward formal compliance frameworks. What we can commit to today: • We apply modern security controls to protect your data • We are transparent when we fall short • We notify customers promptly in the event of a security incident • We are actively working toward SOC 2 Type I as a near-term milestone If you are evaluating Centrali for a use case that requires specific compliance certifications, please reach out at security@centrali.io and we will be direct about whether we can meet your requirements today.

Data Security

  • All data is encrypted **in transit using TLS 1.2+**
  • All databases use **encrypted storage at rest**
  • Database access is restricted to authorized internal system services only — no direct public database access
  • **Workspace isolation** is enforced at the data layer — every query filters by workspace, preventing cross-tenant data leakage
  • File storage uses Azure Blob Storage with server-side encryption
  • Secrets and credentials are never logged or stored in plaintext

Authentication & Access Control

  • Token-based API authentication with signed JWTs
  • Workspace-based roles and permissions (owner, admin, member)
  • API keys are hashed before storage — we cannot retrieve plaintext keys
  • Idle sessions are automatically invalidated
  • Internal team access to production systems is restricted to named individuals on a need-to-know basis
  • Multi-factor authentication (MFA) is on our roadmap for user accounts

Multi-Tenant Isolation

Centrali is a multi-tenant platform. Every tenant's data is logically isolated: • All database queries are scoped by `workspaceSlug` — a structural constraint enforced at the code level • Workspace API keys cannot access data belonging to other workspaces • File storage paths are namespaced per workspace • Compute functions run in isolated execution environments We do not rely solely on application-layer logic for isolation — it is enforced as a hard constraint throughout the system.

Network Security

  • All services operate behind firewalls with restricted inbound access
  • Rate limiting applied to all public API endpoints
  • Infrastructure-level DDoS mitigation via Azure
  • Internal services communicate over private networks — not exposed publicly
  • Suspicious request patterns are automatically flagged and blocked

Backups & Redundancy

  • Automated daily database backups with point-in-time recovery
  • Redundant storage across availability zones
  • Disaster recovery procedures tested periodically
  • Backup integrity is verified automatically

Operational Security

  • System-level audit logging for privileged operations
  • Security patches and dependency updates applied regularly
  • Production deployments require review and approval
  • We monitor for anomalous access patterns and alert on suspicious activity
  • Sensitive configuration is managed through environment secrets — not hardcoded

Incident Response

If a security incident occurs that affects your data, we are committed to: • Notifying affected customers within 72 hours of becoming aware of a confirmed breach • Communicating clearly what data was affected, what happened, and what we did about it • Posting a public incident report for significant events • Preserving evidence for investigation and learning Internal incident response includes a defined escalation path, a designated security contact, and post-incident review. We treat every incident — no matter how small — as a learning opportunity. For active security concerns, contact: security@centrali.io

Security Roadmap

We are actively investing in security. Upcoming milestones include: • Formal access control review — audit of all internal roles and permissions • Audit logging expansion — workspace-level audit trails for customer-facing events • Third-party penetration test — external security assessment by an independent firm • Vulnerability scanning — automated scanning of dependencies and container images in CI • SOC 2 Type I — formal compliance audit as we scale • MFA enforcement — multi-factor authentication for user accounts We publish our product roadmap at centrali.io/roadmap.

Vulnerability Disclosure

If you discover a security vulnerability in Centrali, we ask that you report it responsibly: security@centrali.io Please include: • A description of the vulnerability • Steps to reproduce • Any relevant logs, screenshots, or proof-of-concept We will acknowledge your report within 2 business days and keep you informed of our remediation progress. We do not pursue legal action against researchers who act in good faith. A machine-readable security policy is available at: centrali.io/.well-known/security.txt