Security at Adverant

Edge Protection

All traffic to Adverant services passes through Cloudflare:

• WAF: Web Application Firewall with Layer 7 protection and managed rulesets
• DDoS Mitigation: Automatic Layer 3/4 and Layer 7 DDoS protection
• CDN: Global edge caching to reduce origin exposure
• Rate Limiting: Per-endpoint rate limiting and bot management
• IP Reputation: Automated threat intelligence filtering

Service Mesh and Network Isolation

Services run on Kubernetes (K3s) with Istio service mesh:

• Mutual TLS (mTLS): All service-to-service communication is encrypted and authenticated via Istio
• Network Policies: Default-deny ingress with explicit allowlists per service
• Namespace Isolation: Services separated into Kubernetes namespaces with RBAC boundaries
• Ingress Control: Istio gateway with VirtualService routing and header-based security policies

Firewall and Access Controls

• Default-deny firewall policies for all inbound traffic
• SSH access restricted to key-based authentication only
• Administrative access limited to allowlisted IPs
• Internal services not exposed to the public internet

Encryption at Rest

• Algorithm: AES-256 encryption for all stored data
• Databases: PostgreSQL with encrypted storage volumes
• Graph Database: Neo4j with encrypted storage for knowledge graphs
• Vector Database: Qdrant with encrypted storage for semantic search
• Cache: Redis with TLS-encrypted connections
• Volumes: Encrypted persistent volumes for all Kubernetes workloads

Encryption in Transit

• TLS: All external API and web traffic encrypted via TLS (Cloudflare edge termination)
• mTLS: Mutual TLS for all internal service-to-service communication via Istio
• Database Connections: SSL/TLS required for all database connections
• WebSockets: WSS (WebSocket Secure) for all real-time streams

Multi-Tenant Data Isolation

• Namespace Isolation: Tenant data separated via application-level namespacing (company ID + app ID headers)
• Row-Level Security: PostgreSQL RLS policies enforce tenant boundaries at the database level
• Vector Isolation: Qdrant tenant filtering ensures semantic search results are scoped per tenant
• API Signing: HMAC-SHA256 signed requests between frontend proxy and backend services

Authentication

• OAuth 2.0 / OIDC: Standard-compliant authentication via our nexus-auth service
• Multi-Factor Authentication: TOTP-based MFA available for all accounts
• JWT Tokens: Short-lived access tokens with refresh token rotation
• Session Management: Server-side session tracking with configurable timeouts

Role-Based Access Control (RBAC)

Granular permissions based on the principle of least privilege:

• Owner: Full administrative control
• Admin: User management and billing
• Developer: API access and application management
• Viewer: Read-only access to resources

API Security

• API keys scoped per application with read/write permissions
• JWT-validated proxy with HMAC-SHA256 request signing
• Rate limiting per endpoint and per tenant
• Request validation and input sanitization

Automated Threat Detection

Our platform includes automated security monitoring agents that continuously analyze system behavior:

• Anomaly Detection: Automated analysis of access patterns and API usage
• Threat Detectors: Multiple detection engines for brute force, credential stuffing, privilege escalation, data exfiltration, and suspicious API patterns
• Service Health Probing: Periodic HTTP health checks across all services with automatic alerting
• Container Monitoring: Kubernetes pod health, restart detection, and resource anomaly tracking

Audit Logging

• All authentication events logged (login, logout, MFA, failed attempts)
• API access logged with user, endpoint, timestamp, and response status
• Administrative actions tracked with full audit trail
• Audit logs stored in PostgreSQL with retention policies

Incident Response

In the event of a security incident:

• Detection: Automated alerts from monitoring agents trigger investigation
• Containment: Isolation of affected services via Kubernetes network policies
• Notification: Affected customers notified within 72 hours as required by applicable regulations
• Post-Incident: Root cause analysis and remediation documented

Dependency Scanning

• Container Scanning: Automated vulnerability scanning of Docker images
• Dependency Auditing: Automated alerts for known vulnerabilities in third-party libraries
• SAST: Static analysis integrated into our development workflow

Patch Management

• Critical: Patched as soon as possible, typically within 24-48 hours
• High: Patched within 7 days
• Medium: Patched within 30 days
• Low: Addressed in regular maintenance cycles
• Rolling deployments for zero-downtime updates

Security Hardening

We perform regular security reviews of our codebase. In March 2026, we completed a comprehensive security hardening across 54 files, addressing 16 identified vulnerabilities including multi-tenant isolation, authentication token handling, and input validation across chat, terminal, and API surfaces.