How we protect customer data

SSO + MFA

BetterAuth handles email/password with mandatory MFA on the platform. Workforce identity is Google Workspace (SAML/OIDC) with hardware-key MFA for engineers.

• Customer SSO available on enterprise tier (SAML, OIDC)
• TOTP and WebAuthn supported for end users
• Session expiry, revocation, and device management built in

Least-privilege access

No standing production access. Engineers request just-in-time elevation through PIM-style flows; access is time-bounded, logged, and reviewed.

• Per-customer cloud accounts (AWS Organizations / Azure subs / GCP projects)
• IAM roles audited quarterly; unused roles removed
• Customer-readonly roles available for assist sessions

Audit logging

CloudTrail, Azure Activity Log, and GCP Cloud Audit are enabled across every environment, shipped to immutable storage, and retained per customer policy.

• Application-level audit logs for auth, billing, and admin actions
• Tamper-evident retention (S3 Object Lock / immutable blob storage)
• Customer-readable export available under NDA

Network isolation

Per-customer VPCs / VNets / GCP networks. Private subnets for all data tiers. No shared compute, no shared databases, no cross-customer data flow at the network layer.

Continuous monitoring

24/7 alerting on anomalies, failed auth bursts, and suspicious egress. PagerDuty escalation on P1 events. SIEM ingestion available where required.

Incident response

Documented runbooks, on-call rotation, and a 5-business-day postmortem commitment for every P1 incident. Customer Slack channel updates for affected services.

Dependency & SAST scanning

Dependabot, GitHub Code Scanning (CodeQL), and Trivy run on every PR. Container images scanned before push. Critical CVEs trigger automated upgrade PRs.

Secret scanning

GitHub secret scanning + push protection on every repo. Pre-commit hooks block known secret patterns. Detected secrets are rotated immediately.

Penetration testing

Annual third-party penetration test plus continuous internal red-team exercises. Summary letter shareable; full report under NDA.

Signed commits & tags

All production releases ship from signed Git commits and signed tags. Branch protection requires PR review, CI green, and signature verification.

Reproducible builds

CI builds are pinned to immutable container digests. Production images are content-addressed; rollback is a digest swap, not a rebuild.

SBOM & supply chain

CycloneDX SBOMs generated for every release. Provenance attestations (SLSA-aligned) on container images. Sub-processor list maintained on /trust.