Skip to content
Trust

Security

EntropyX runs in industrial environments where downtime, data loss, and regulatory exposure carry real consequences. This page is an honest account of how the platform is built and operated today, and what is on the roadmap.

Last updated:
Workspace isolation
Encrypted in transit (TLS 1.2+)
Encrypted at rest (AES-256)
bcrypt password hashing
Read-only AI tools
Audit trails by default

Workspace isolation

Every customer operates inside their own workspace. Workspace identity is required on every data-layer query; a request that omits or mismatches a workspace returns a 404, not a 403, so that workspace existence is never disclosed across tenants. Sub-resources (assets, work orders, documents, history) are validated for ownership on every request.

Roles within a workspace are OWNER, ADMIN, and MEMBER. Sensitive operations are gated by role.

Authentication

  • Sessions are stored in encrypted HTTP-only cookies (iron-session) and expire after seven days.
  • Passwords are hashed with bcrypt (cost factor 10) before being stored. We never store plaintext passwords.
  • Password policy: minimum ten characters, at least one upper-case letter, one lower-case letter, and one digit.
  • Rate limits on login (5 / minute / IP) and registration (3 / hour / IP) to slow credential stuffing and abuse.
  • Edge middleware validates the session before any route handler executes.

SAML SSO and SCIM provisioning are on our roadmap for the Business tier; they are not currently available.

Encryption

  • TLS 1.2 or above for all traffic between client, server, and sub-processors.
  • Customer files are stored with our object-storage sub-processor using server-side AES-256 encryption at rest.
  • The PostgreSQL database is hosted on encrypted volumes provided by our cloud sub-processor.

Application hardening

  • HTTP security headers on every response: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.
  • Strict content type validation on uploads (PDF, DOCX, XLSX, CSV, TXT, PNG, JPG; 20 MB cap).
  • Server-side validation of every mutation; client trust is never assumed.
  • 3D models are processed through gltf-transform to strip unreferenced data before storage.

Shelby (AI assistant)

Shelby is built on an enterprise-grade large language model running on a vetted cloud sub-processor under a no-training data agreement. The architecture has three properties that bound the blast radius:

  • Workspace-scoped retrieval.Embeddings and database tools are filtered by your workspace ID. Shelby cannot see other tenants' data.
  • Read-only tools. Shelby has 51 database tools, none of which can create, modify, or delete records. There is no path from a prompt to a write.
  • No outbound internet. Shelby cannot fetch URLs or call external APIs. Inference happens against a single contracted provider; everything else stays inside our infrastructure.

Inputs are validated against prompt-injection patterns; outputs are validated to redact accidentally surfaced secrets (API keys, connection strings) before they reach the client. The inference provider is contractually prohibited from using customer prompts to train its foundation models. The provider name is disclosed under NDA as part of our DPA.

Audit trails

Asset changes are auto-logged with the actor, timestamp, and before/after values. The history is queryable through the application and the API. Operator annotations are logged separately and attributed to the user who made them.

Backups and recovery

The database is backed up daily by our cloud sub-processor on a rolling thirty-day window. Backups are encrypted at rest. Recovery procedures are tested as part of our pre-launch checklist.

Sub-processors

The current list of sub-processors and the purpose of each is published at /subprocessors. Workspace owners are emailed before a new sub-processor that handles customer content is added.

Compliance roadmap

EntropyX is currently in early access. We are not yet certified under SOC 2 Type II or ISO 27001. Our controls are being designed against those frameworks and we expect to begin a Type I audit within twelve months of general availability. We will publish dates and auditor names when scheduled.

For privacy and GDPR-related processing details, see the Privacy Policy.

Responsible disclosure

If you believe you have found a vulnerability in EntropyX, email [email protected]. We acknowledge receipt within two business days and will work with you in good faith. We support safe-harbour testing: do not access data that is not your own, do not degrade the Service for other tenants, and give us a reasonable window to remediate before disclosure.

Contact

Security questionnaires, DPAs, and procurement: [email protected].