Security

Architecture

• Encryption at rest: All content stored in S3 with KMS-managed encryption. Database (DynamoDB) tables also use KMS encryption.
• Encryption in transit: TLS 1.2+ everywhere — admin UI, public site, engine API, MCP transport.
• Network: Engine and CMS run in a single VPC; only the public CDN and the admin UI are internet-facing.
• Auth: Cognito-issued JWTs for users; CMS-minted so_* tokens for AI agents (per-key scopes, TTL, rate limits); engine-direct gq_* tokens for service-to-service.
• Audit chain: Every mutation cryptographically links to the prior state. Tamper-evidence is verifiable end-to-end.
• WORM mode: Optional per-graph; once on, no published version can be edited — only superseded with a new version.
• Access log: Every read against an audit-graded graph is logged with actor + timestamp + headers.

Threat model

We're explicit about what we defend against and what we don't (yet):

Defended:

• Account takeover via Cognito (MFA available)
• API-key leakage (TTL + per-key rate limits + revocation)
• Tamper of historical content (audit chain)
• Unauthorized cross-tenant access (per-graph IAM + tenant isolation in the engine)

In progress (transparent about):

• Prompt injection in features that consume user content (document import, visual edit, bulk rewrite). We're shipping scoped agent tokens to mitigate.
• Lifecycle-hook sandbox — currently runs in Node's vm, which is not a security boundary; moving to isolated-vm.
• Secrets in process env — moving to per-request SSM lookup so process exfiltration doesn't yield credentials.

The full threat-model writeup is in the AI capabilities doc under "Auth + safety".

Vulnerability disclosure

Email security@staticowl.com. We commit to acknowledging within 1 business day. We will never threaten or pursue legal action against good-faith security researchers.

Compliance

• SOX ready (audit chain + WORM)
• GDPR ready (subject access + delete + export)
• HIPAA in scope for Enterprise (BAA available; not yet ready for Pro/Business plans)
• SOC 2 Type 1 audit planned post-GA

Talk to us about a security review →