Security & Trust
The security posture your buyers ask about.
We treat your customer data — and your customers' customers' data — like it's our own. Here's exactly how.
Tenant isolation
Every database query is automatically scoped to the active tenant via a GORM plugin. There is no code path that can read across tenants without an explicit, logged override.
Auth & sessions
Passwords hashed with bcrypt. JWT sessions in httpOnly, Secure, SameSite=Lax cookies. CSRF tokens on every state-changing request. Rate limiting on authentication endpoints.
Encryption
TLS 1.2+ in transit. Disk-level encryption at rest. Secrets stored in environment variables; never in code.
Upload integrity
Uploaded files are size-bounded, content-type-validated, and path-sanitized. Per-tenant directories; no cross-tenant traversal.
Vulnerability management
Container images and dependencies scanned with Trivy on every CI build. Critical findings block deploys. Dependency updates reviewed weekly.
Audit & accountability
Administrative actions are recorded in a tenant-scoped audit log. Every HTTP request carries a correlation ID you can reference in support tickets.
Compliance roadmap
- GDPR — compliant today. Data export, deletion, and DPA available.
- CCPA — compliant today. Do-not-sell honored; subject requests acknowledged within 30 days.
- SOC 2 Type II — readiness phase. Controls operating; external audit timeline disclosed under NDA on request.
- HIPAA — not yet supported. BAA available for Enterprise pilots on request.
Found a vulnerability?
We welcome responsible disclosure. Email security@dronrly.com with reproduction steps. We acknowledge within one business day and will not take legal action against good-faith research.
See our DPA →