Security

Last updated: February 1, 2025

Our Commitment

Security is foundational to Ostack. We design our infrastructure and processes to protect your data, your connections, and your teams. This page describes our security practices and architecture.

Infrastructure

Hosting

Ostack runs on cloud infrastructure with data centers in the EU (Frankfurt) and US (Virginia). All infrastructure is managed with infrastructure-as-code and automated deployment pipelines.

Network Security

  • All traffic is encrypted in transit using TLS 1.3
  • Network segmentation isolates tenant environments
  • DDoS protection and Web Application Firewall (WAF) are enabled by default
  • Internal services communicate over private networks with mutual TLS

Data Protection

Encryption

  • At rest — All data is encrypted using AES-256
  • In transit — TLS 1.3 for all external connections
  • Secrets — Connection tokens and credentials are encrypted with per-tenant keys managed through a dedicated secrets vault

Data Isolation

Each organization's data is logically isolated. Access controls enforce strict tenant boundaries at the application and database layers. Cross-tenant data access is architecturally prevented.

Authentication & Access

  • SSO support via SAML 2.0 and OIDC
  • Multi-factor authentication (MFA) available for all accounts
  • Role-based access control (RBAC) with least-privilege defaults
  • Session management with configurable timeout policies
  • API authentication via short-lived tokens with scoped permissions

Connection Proxy

MCP connections are routed through our secure connection proxy. The proxy:

  • Never stores raw credentials — tokens are encrypted and scoped
  • Enforces per-connection permission boundaries
  • Logs all connection activity for audit purposes
  • Supports credential rotation without stack reconfiguration

Compliance

  • GDPR — Full compliance with EU data protection regulations
  • SOC 2 Type II — Audit in progress
  • Data residency — EU data stays in EU regions

Incident Response

We maintain a documented incident response plan. In the event of a security incident:

  • Affected customers are notified within 72 hours
  • A root cause analysis is conducted and shared
  • Remediation steps are implemented and verified

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to security@ostack.cloud. We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days.

Contact

For security questions or concerns, contact our security team at security@ostack.cloud.