Security
Last updated: 17.07.2026
Security is core to Aegvale. This page describes controls that are actually implemented in the product. We do not make claims about certifications we do not hold.
Encryption
All traffic is served over HTTPS/TLS. Sensitive data you provide — the API keys and request headers for the agents you test — is encrypted at rest using AES-256-GCM. Encrypted values are decrypted only in memory at scan time and are never returned to the browser.
Authentication & access
- Passwords are hashed with bcrypt; sessions use short-lived JWT access tokens with rotating refresh tokens.
- Two-factor authentication (TOTP) with one-time backup codes.
- Enterprise SSO (OIDC) and SCIM 2.0 user provisioning.
- Role-based access control (Owner / Admin / Member / Viewer) and multi-tenant isolation per organization.
- Active-session management and an audit log of security-relevant actions.
API key protection
Programmatic API keys are stored only as hashes; the full key is shown once at creation. Keys can be scoped and revoked at any time.
Application security
- Server-side Server-Side Request Forgery (SSRF) guards on outbound scan requests.
- Security headers (Helmet), CORS locked to the application origin, and rate limiting.
- Secrets are never exposed to the client; input is validated on the server.
Infrastructure
The service runs on managed cloud infrastructure: Vercel (frontend hosting), Render (application hosting), and PostgreSQL (managed database on Render).. Data is stored in a managed PostgreSQL database. A self-hosted / on-premise deployment option is available for data-residency requirements.
Data retention & deletion
Scan data is retained per your organization’s configured retention period and then purged automatically. You can request account and data deletion at support@aegvale.com.
Reporting a vulnerability
Please report suspected vulnerabilities responsibly to support@aegvale.com. See our Responsible Disclosure policy.