Security Overview

Accounts are managed in-house with hashed passwords and signed, HTTP-only session cookies — there is no third-party identity provider. Optional OAuth (Google, GitHub) and TOTP multi-factor authentication with single-use recovery codes are supported. Login endpoints are rate-limited against brute force.

SAML single sign-on (via BoxyHQ Jackson) with DNS-verified domains and SCIM 2.0 provisioning with group-to-role mapping. When a workspace enforces SSO, all password and email-code logins for that domain are blocked — there is no bypass path.

Role-based access control (admin, staff engineer, engineer, viewer) is enforced server-side. Every workspace- and project-scoped request verifies both the caller's role and that the resource belongs to them, preventing cross-tenant access.

All traffic is encrypted in transit (TLS). User secrets and signing keys are encrypted at rest with AES-256-GCM and never returned to clients. The database is encrypted at rest by the managed host. Secrets are never logged in production, and CI scans for committed secrets.

A tamper-evident, hash-chained audit log records authentication, role changes, invites, member removal, SSO sign-in, plan changes, and admin actions, with configurable retention and optional SIEM webhook delivery.

Errors are captured in Sentry and usage in PostHog. The database uses point-in-time recovery with a weekly automated restore drill that verifies backups are usable. Deploys and migrations are gated by required reviewers, and rollbacks are atomic.

We use a limited set of subprocessors (Stripe, Trigger.dev, Resend, PostHog, Sentry, hosting, and managed Postgres). Authentication is not delegated to a subprocessor. The full subprocessor list and a data-flow map are maintained in our repository's SECURITY.md.

Request access, correction, or deletion of account data at privacy@wholestack.ai. See our Privacy Policy for details.