Security
Last updated: February 1, 2025
Our Commitment
Security is foundational to Ostack. We design our infrastructure and processes to protect your data, your connections, and your teams. This page describes our security practices and architecture.
Infrastructure
Hosting
Ostack runs on cloud infrastructure with data centers in the EU (Frankfurt) and US (Virginia). All infrastructure is managed with infrastructure-as-code and automated deployment pipelines.
Network Security
- All traffic is encrypted in transit using TLS 1.3
- Network segmentation isolates tenant environments
- DDoS protection and Web Application Firewall (WAF) are enabled by default
- Internal services communicate over private networks with mutual TLS
Data Protection
Encryption
- At rest — All data is encrypted using AES-256
- In transit — TLS 1.3 for all external connections
- Secrets — Connection tokens and credentials are encrypted with per-tenant keys managed through a dedicated secrets vault
Data Isolation
Each organization's data is logically isolated. Access controls enforce strict tenant boundaries at the application and database layers. Cross-tenant data access is architecturally prevented.
Authentication & Access
- SSO support via SAML 2.0 and OIDC
- Multi-factor authentication (MFA) available for all accounts
- Role-based access control (RBAC) with least-privilege defaults
- Session management with configurable timeout policies
- API authentication via short-lived tokens with scoped permissions
Connection Proxy
MCP connections are routed through our secure connection proxy. The proxy:
- Never stores raw credentials — tokens are encrypted and scoped
- Enforces per-connection permission boundaries
- Logs all connection activity for audit purposes
- Supports credential rotation without stack reconfiguration
Compliance
- GDPR — Full compliance with EU data protection regulations
- SOC 2 Type II — Audit in progress
- Data residency — EU data stays in EU regions
Incident Response
We maintain a documented incident response plan. In the event of a security incident:
- Affected customers are notified within 72 hours
- A root cause analysis is conducted and shared
- Remediation steps are implemented and verified
Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly to security@ostack.cloud. We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days.
Contact
For security questions or concerns, contact our security team at security@ostack.cloud.