Back/Security

Security

ArturaOS is built security-first. This page describes the technical and organisational controls we use to protect your salon's data.

Authentication & Access

  • JWT access tokens (15-minute expiry) with HTTP-only refresh token rotation
  • Bcrypt password hashing with configurable cost factor
  • Brute-force protection — account lock after 5 failed attempts with exponential back-off
  • Two-factor authentication (TOTP) available for all accounts
  • Session management — active sessions visible and revocable per device
  • Role-based access control (Owner, Manager, Staff, Receptionist)

Infrastructure

  • All traffic encrypted with TLS 1.3 (HTTPS enforced, HSTS enabled)
  • Hosted on German infrastructure (ISO 27001 certified data centres)
  • Database and file storage isolated per tenant with no cross-tenant data access
  • PostgreSQL data at rest encrypted via storage-layer AES-256
  • Redis cache with in-transit encryption and AUTH-protected access
  • Docker containers with non-root users and read-only file systems
  • Automated daily backups retained for 30 days with point-in-time recovery

Application Security

  • OWASP Top 10 mitigations applied — SQL injection, XSS, CSRF, IDOR
  • Strict Content Security Policy headers on all responses
  • Rate limiting on all endpoints (per-user and per-IP)
  • Parameterised SQL queries via SQLAlchemy ORM — no raw string interpolation
  • User-supplied content sanitised before storage and on render
  • File uploads scanned for MIME type; served from isolated storage with signed URLs
  • Dependency vulnerability scanning in CI pipeline (pip-audit, npm audit)

Audit & Monitoring

  • Immutable audit log for all sensitive actions (login, data export, permission changes)
  • Sentry error tracking with release tagging and PII scrubbing
  • Prometheus + Grafana metrics for latency, error rates, and queue depths
  • Automated alerting for anomalous login patterns and failed access attempts
  • GeoIP-based suspicious login detection with user notification

Incident Response

  • Security issues acknowledged within 24 hours of responsible disclosure
  • Critical vulnerabilities patched and deployed within 72 hours
  • Affected tenants notified via email with full impact disclosure
  • Post-incident reports published for major security events

Compliance & Privacy

  • GDPR-compliant data processing — lawful basis documented per data type
  • Right to erasure and data portability supported with one-click export/deletion
  • Data Processing Agreement (DPA) available on request
  • Cookie consent management — no tracking cookies without explicit consent
  • Sub-processors listed and reviewed quarterly

Responsible Disclosure

If you discover a security vulnerability, please report it privately before public disclosure. We commit to acknowledging your report within 24 hours and resolving critical issues within 72 hours.

security@arturaos.com

Last updated May 2026 · Changelog · Roadmap

    Security — ArturaOS | ArturaOS