AuditMate Security Whitepaper
A technical deep-dive into data protection, encryption standards, and architectural security for the AuditMate platform.
01. Executive Summary
AuditMate is built on the principle of Least Privilege. Our architecture is designed to collect only the evidence required for compliance audits without maintaining persistent backdoors into your production infrastructure. This document outlines the controls we use to protect client data.
02. Data Encryption Standards
We utilize industry-standard cryptographic protocols to protect data both at rest and in transit.
Encryption at Rest
Sensitive credentials (API Keys, AWS Access Secrets) are encrypted using AES-128-CBC via the Fernet (symmetric encryption) recipe.
Key Derivation: PBKDF2HMAC
Storage: PostgreSQL (Encrypted Column-level)
Encryption in Transit
All data transmitted between our servers, your infrastructure, and the end-user is encrypted using TLS 1.3. We enforce HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.
03. Infrastructure Security
AuditMate is hosted on hardened cloud infrastructure with the following protections:
- VPC Isolation: All database and worker nodes reside in private subnets with no public internet route.
- Read-Only Scans: Our integration guides strictly mandate Read-Only IAM roles and GitHub Personal Access Tokens.
- Ephemeral Workers: Audit tasks are executed in isolated Celery workers that are recycled after completion to prevent memory-leakage of sensitive tokens.
04. Authentication & Access
- Multi-Tenancy: Strict logical isolation at the database level using
organization_idforeign keys on every query. - JWT Lifecycle: Short-lived Access Tokens (15m) and long-lived Refresh Tokens (7d) with automatic rotation.
05. Compliance Disclosures
While AuditMate helps you achieve SOC2, we also maintain our own internal security posture:
Weekly automated dependency scanning via Dependabot and Snyk.
24/7 monitoring and automated alerting via PagerDuty for unauthorized access attempts.