Security for Technical CEOs and CTOs

Technical Security & Privacy Details

This page describes implementation-level controls, operational boundaries, and mandatory release gates. No security theater: only enforceable controls count.

1. Data isolation architecture

Each customer instance is mapped to its own subdomain and a dedicated MySQL/MariaDB schema. Isolation is enforced by tenant routing and per-tenant database credentials, reducing blast radius.

  • Tenant routing is explicit at application level.
  • Per-tenant database credentials are provisioned separately.
  • Provisioning and lifecycle actions are performed through controlled APIs.

2. Access control and support access policy

Customer data access for support is disabled by default and allowed only after explicit customer authorization for a limited time window.

Important: This is an operational and application-enforced model, not a zero-knowledge cryptographic model.

  • Access must be request-based and approved.
  • Access duration must be bounded and revocable.
  • Support activity must be logged for auditability.

3. Encryption

  • TLS/HTTPS for external traffic.
  • Private secured channels for control-plane communication.
  • Host-level disk encryption and encrypted off-host backups (restic client-side encryption).

4. Identity and authentication

  • Email verification for account activation.
  • WebAuthn security-key MFA support in the account security model.
  • Role-based access boundaries across organizations and users.

5. Hosting and data residency

Managed hosting is on OVHcloud infrastructure in France.

For maximum control and restricted environments, customers can choose the On-Prem deployment model.

6. Compliance posture

Cost Truth is operated to comply with EU GDPR and applicable data privacy laws, with supporting legal and operational documentation.

  • Privacy policy and legal terms are part of product delivery.
  • Data handling boundaries and processing responsibilities are documented.

Additional controls to include (recommended)

  • Data Processing Agreement (DPA) template and execution flow.
  • Subprocessor inventory with residency and purpose.
  • Documented retention and deletion schedule.
  • Incident response process and breach-notification runbook.
  • Security contact channel and responsible disclosure policy.
  • Backup restore test cadence with evidence records.

Release-gate TODOs (must be complete before production go-live)

  • TODO - Verify host-level disk encryption baseline on all managed hosts, with documented ownership and periodic review.
  • TODO - Implement enforceable support-access workflow: explicit approval, time-limited sessions, and mandatory audit logs.
  • TODO - Enforce MFA policy by role where required and keep enrollment/challenge controls audited.
  • TODO - Publish GDPR package: DPA, subprocessor list, retention/deletion policy, and data-subject request process.
  • TODO - Define and test incident response and breach notification process with named owners.
  • TODO - Run and document backup/restore drills on a fixed schedule.
  • TODO - Add automated evidence checks in preflight/doctor for critical security controls.

Policy: No production release is accepted until every item above is implemented and verified.

Back to security overview