Security

We assume the only thing that matters is this: the platform that monitors your infrastructure must not be the one that compromises it. The full posture lives in /docs#security; this page summarizes for procurement and security review.

Encryption

• In transit: TLS 1.3 for all web, API, and agent traffic.
• At rest: AES-256-GCM for cloud credentials, with versioned key rotation.
• Backups: AES-256 encrypted before leaving the primary region.
• Passwords: argon2id (memory-hard).

Access controls

• Role-based access (owner, admin, operator, viewer).
• SSO (OIDC, SAML) on Business and Enterprise plans.
• Per-template action permissions on the agent, read-only by default.
• Host fingerprint pinning prevents agent key reuse on different hosts.
• JWT access tokens with 1-hour expiry; opaque refresh tokens hashed at rest.

Operational

• Daily encrypted backups stored cross-region.
• Rate limiting on every API endpoint.
• Full audit log of every action, yours, ours, system. Exportable on Business+.
• Hardened systemd profile for the on-host agent (no privilege escalation, no kernel tunables, restricted writable paths).
• Approval queue for high- and critical-risk actions, even in autonomous mode.

Vulnerability disclosure

Found something? We'd love to hear about it. Email security@rognix.com with details and steps to reproduce. We respond within 1 business day, fix critical issues within 7 days, and credit researchers in our security advisories (with permission).

Out of scope: anything that requires social engineering, physical access, or compromise of third-party services we don't control (Stripe, Resend, etc.).

Compliance

SOC2 Type 2 audit in progress (target: late 2026). The full controls document and audit log export are available on Business and Enterprise plans.

security.txt

Contact: mailto:security@rognix.com
Expires: 2027-12-31T23:59:59Z
Preferred-Languages: en
Canonical: https://rognix.com/.well-known/security.txt
Policy: https://rognix.com/security