Security
Last updated: May 2026 Effective date: June 1, 2026
Security is not a feature at INDRA — it is the product. This page describes our security architecture, operational controls, and responsible disclosure process.
1. Security Architecture
Zero State by Design. INDRA does not store authentication tokens, API keys, or agent credentials at rest. Capability tokens are cryptographically issued per-invocation and auto-expire on task completion. There is no centralized credential store to breach.
Edge-Native Enforcement. All authorization decisions are evaluated at globally distributed secure edge nodes — no round-trip to a centralized data center, eliminating the single-point-of-failure present in traditional IAM.
Cryptographic Authorization Chain. Every intent evaluation produces a cryptographically signed audit record (ECDSA P-256), committed before the action executes — providing a tamper-proof chain of custody for every agent decision.
Zero Trust Internal Architecture. Internal systems enforce Zero Trust: no implicit network trust, mutual TLS between all services, Just-In-Time engineering access to production.
2. Data Security
- Encryption in transit: TLS 1.2/1.3 enforced on all endpoints. HSTS with 1-year max-age.
- Encryption at rest: AES-256 via managed database encryption.
- Data minimization: Agent payload content and credentials are never logged or stored.
- Access control: Production access requires MFA and cryptographic SSH keys, is logged, and reviewed quarterly.
- Key management: Signing keys managed via dedicated Hardware Security Modules (HSMs). No private keys in application code or config files.
3. Infrastructure Security
- V8 isolate execution: Each request runs in its own isolated V8 context — no shared containers, no persistent memory between invocations.
- DDoS protection: Global L3/L4/L7 DDoS mitigation applied globally.
- WAF: OWASP Core Rule Set applied to all public endpoints.
- Rate limiting: All APIs enforce rate limiting. Repeated auth failures trigger automatic blocking.
4. Software Development Security
- Dependency scanning: CVE scanning on every commit and weekly automated sweeps.
- Code review: All changes require peer review. No direct commits to production.
- Secret scanning: Prevents secrets from reaching source control.
- Least-privilege CI/CD: Pipeline credentials are short-lived and environment-scoped.
5. Incident Response
INDRA maintains an Incident Response Plan covering detection, containment, eradication, recovery, and post-incident review.
- Affected customers notified within 72 hours of confirmed breach discovery (GDPR Article 33 compliant).
- Notification includes: nature of incident, data categories affected, likely consequences, and mitigating measures.
- Post-incident report delivered to affected enterprise customers within 30 days.
6. Compliance & Standards Alignment
- NIST SP 800-207 (Zero Trust Architecture) — core design principle.
- SOC 2 Type II — architecture designed for SOC 2 evidence. Formal audit planned Q4 2026.
- GDPR / CCPA — See our Privacy Policy.
- OWASP Top 10 — all categories addressed in development practices.
7. Responsible Disclosure
If you believe you have found a vulnerability in INDRA, please contact us privately before any public disclosure:
- Security Email: security@getindra.net
- PGP Key: Available upon request
- Response SLA: 48 hours
Please allow a minimum of 90 days for remediation before public disclosure, and avoid accessing or modifying customer data during research. Confirmed reporters will be acknowledged in our security advisories.
8. Contact
Security: security@getindra.net
Legal: legal@getindra.net