Security Overview

Modern security practices to protect your data and applications.

Last updated: March 2026

Centrali treats security as a first-class concern. This page describes the controls in place today, where customer data lives, and the work we have on deck. We don't overclaim — if a certification isn't listed here, we don't hold it.

Data Security

  • Customer data is hosted in the **United States** on Microsoft Azure
  • All data is encrypted **in transit using TLS 1.2+**
  • All databases use **encrypted storage at rest**
  • Database access is restricted to authorized internal system services only — no direct public database access
  • **Workspace isolation** is enforced at the data layer — every query filters by workspace, preventing cross-tenant data leakage
  • File storage uses Azure Blob Storage with server-side encryption
  • Secrets and credentials are never logged or stored in plaintext

Authentication & Access Control

  • Token-based API authentication with signed JWTs
  • Workspace-based roles and permissions (owner, admin, member)
  • API keys are hashed before storage — we cannot retrieve plaintext keys
  • Idle sessions are automatically invalidated
  • Internal team access to production systems is restricted to named individuals on a need-to-know basis
  • Multi-factor authentication (MFA) is on our roadmap for user accounts

Multi-Tenant Isolation

Centrali is a multi-tenant platform. Every tenant's data is logically isolated: • All database queries are scoped by `workspaceSlug` — a structural constraint enforced at the code level • Workspace API keys cannot access data belonging to other workspaces • File storage paths are namespaced per workspace • Compute functions run in isolated execution environments We do not rely solely on application-layer logic for isolation — it is enforced as a hard constraint throughout the system.

Network Security

  • All services operate behind firewalls with restricted inbound access
  • Rate limiting applied to all public API endpoints
  • Infrastructure-level DDoS mitigation via Azure
  • Internal services communicate over private networks — not exposed publicly
  • Suspicious request patterns are automatically flagged and blocked

Backups & Redundancy

  • Automated daily database backups with point-in-time recovery
  • Redundant storage across availability zones
  • Disaster recovery procedures tested periodically
  • Backup integrity is verified automatically

Operational Security

  • Static application security testing (SAST) via **Semgrep** in CI
  • System-level audit logging for privileged operations
  • Security patches and dependency updates applied regularly
  • Production deployments require review and approval
  • We monitor for anomalous access patterns and alert on suspicious activity
  • Sensitive configuration is managed through environment secrets — not hardcoded

Incident Response

If a security incident occurs that affects your data, we are committed to: • Notifying affected customers within 72 hours of becoming aware of a confirmed breach • Communicating clearly what data was affected, what happened, and what we did about it • Posting a public incident report for significant events • Preserving evidence for investigation and learning Internal incident response includes a defined escalation path, a designated security contact, and post-incident review. We treat every incident — no matter how small — as a learning opportunity. For active security concerns, contact: security@centrali.io

Where We're Headed

We are actively investing in security and compliance. Upcoming milestones include: • SOC 2 Type I — our near-term compliance milestone • Third-party penetration test — external assessment by an independent firm • MFA enforcement — multi-factor authentication for user accounts • Audit logging expansion — workspace-level audit trails for customer-facing events • Vulnerability scanning — automated scanning of dependencies and container images in CI • Formal access control review — audit of all internal roles and permissions If you are evaluating Centrali for a use case that requires a specific certification, please reach out at security@centrali.io — we will be direct about whether we can meet your requirements today.

Vulnerability Disclosure

If you discover a security vulnerability in Centrali, we ask that you report it responsibly: security@centrali.io Please include: • A description of the vulnerability • Steps to reproduce • Any relevant logs, screenshots, or proof-of-concept We will acknowledge your report within 2 business days and keep you informed of our remediation progress. We do not pursue legal action against researchers who act in good faith. A machine-readable security policy is available at: centrali.io/.well-known/security.txt