UnboundBytes Digital freedom with a safety net
🚀 Join Beta Waitlist

Security

Security built in, not bolted on

We protect your data with multiple layers of security controls. Your infrastructure, your data, your control—with enterprise-grade protections that actually work.

How we protect you

Every layer of the platform is designed to protect your data and infrastructure.

Multi-tenant isolation

Your data is completely isolated from other users. Each tenant gets a dedicated Durable Object with strict access controls. Comprehensive automated testing ensures cross-tenant data access is prevented.

Cloudflare Durable Objects with tenant-scoped state

Zero-trust authentication

Every request is verified. Portal uses Auth0 JWT with JWKS signature verification. Agent communication uses HMAC-SHA256 with device-specific secrets. No implicit trust, ever.

JWT (RS256) + HMAC-SHA256 with timestamp validation

Encrypted configuration delivery

App credentials and secrets are encrypted in transit using Vault Transit Engine (AES-256-GCM). Secrets are only decrypted on your infrastructure, never on our servers.

Vault Transit Engine (AES-256-GCM) with authenticated encryption

OWASP Top 10 protection

Built-in defenses against SQL injection, XSS, CSRF, path traversal, and command injection. Comprehensive automated validation testing ensures input safety across all entry points.

Comprehensive input validation with Zod, output encoding, CSRF tokens

Secure session management

HTTP-only, secure, SameSite cookies prevent session hijacking. JWT tokens verified with rotating keys (JWKS). Session timeouts and secure logout.

Signed session cookies (HS256), JWT with JWKS (30-minute cache)

TLS 1.3 everywhere

All external traffic encrypted with TLS 1.3 minimum. Certificate validation enforced. HSTS headers prevent downgrade attacks. No plaintext data transmission.

TLS 1.3 with perfect forward secrecy, HSTS enforcement

How we protect our backend

Our infrastructure security ensures the control plane itself is secure and reliable.

HashiCorp Vault for secrets

All secrets stored in Vault KV v2, never in code or environment variables. AppRole authentication with least-privilege policies. Automatic secret rotation.

Vault KV v2 with AppRole auth, time-limited tokens

Defense in depth

Multiple overlapping security layers: network (Cloudflare WAF), authentication (JWT/HMAC), authorization (tenant validation), input validation, output encoding, audit logging.

7-layer security model with independent failure domains

Rate limiting & circuit breakers

Per-tenant rate limits prevent abuse. Circuit breakers stop cascading failures. Request timeouts prevent resource exhaustion. DDoS protection via Cloudflare.

Durable Object-based rate limiting, exponential backoff

Comprehensive audit logging

All security events logged with structured data. Vault audit logs track secret access. Tenant operations logged for compliance. No sensitive data in logs.

Structured JSON logging, Vault audit backend, tenant-scoped logs

Automated security testing

Comprehensive automated security testing in CI/CD including tenant isolation tests, input validation tests, and security regression prevention. Dependency scanning keeps vulnerabilities out.

Vitest security suites, pre-commit hooks, GitHub Actions

Zero password exposure

Auth0 handles portal authentication—we never see or store passwords. Agent uses HMAC signatures, not passwords. Your app data never touches our servers. Even if our platform is compromised, your data remains secure on your infrastructure.

Auth0 OIDC, HMAC-SHA256, no password storage

Better than industry norms

Most self-hosting platforms leave security as an afterthought. We built it in from day one.

Typical self-hosting platforms

Common issues

  • Plain-text configuration files (env files, docker-compose.yml)
  • No backup verification (backups may exist but are rarely tested—most platforms never verify backups actually work)
  • Manual secret management (passwords in config files)
  • No multi-tenant isolation (single-user deployments)
  • Minimal input validation (trust user input)
  • No audit logging (can't track who did what)

Our approach

  • Encrypted configuration delivery via Vault Transit
  • Weekly backup verification with integrity checks
  • HashiCorp Vault for all secrets with automatic rotation
  • Strong multi-tenant isolation with 38 automated tests
  • 136 validation tests covering all injection types
  • Comprehensive audit logging with structured events

Enterprise platforms

Common issues

  • Complex setup requiring dedicated security team
  • Expensive licensing and per-seat fees
  • Vendor lock-in with proprietary protocols
  • Over-engineered for individual users
  • Black-box security (can't verify implementations)

Our approach

  • Simple setup with security built-in from day one
  • Flat pricing, no per-seat fees
  • Open source—you can verify and audit everything
  • Built for individuals, not enterprise teams
  • Transparent security architecture with public documentation

DIY solutions

Common issues

  • No standardized security practices
  • Manual security hardening required
  • No automated testing or validation
  • Security knowledge required to implement
  • Easy to misconfigure and leave vulnerabilities

Our approach

  • Security best practices enforced by design
  • Hardening configured automatically
  • Automated security testing in CI/CD
  • Security built-in, no expertise required
  • Secure defaults with validation at every layer

Security by the numbers

100%
OWASP Top 10 coverage

Ready to self-host with confidence?

Get enterprise-grade security without the enterprise complexity. Join the beta waitlist to get early access.

🚀 Join Beta Waitlist