Skip to content

Security Policy

Last updated: March 2026

1. Overview

Security is foundational to OpenSyber. As a platform that secures AI agent infrastructure, we hold ourselves to the highest standards. This policy describes our security practices, vulnerability reporting process, and the controls we apply to protect your data and workloads.

2. Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly:

  • Email security@opensyber.cloud with a detailed description
  • Include steps to reproduce, impact assessment, and any proof-of-concept
  • We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours
  • We do not pursue legal action against good-faith security researchers

3. Encryption & Data Protection

We apply encryption at every layer:

  • In transit — TLS 1.3 enforced on all connections; HSTS enabled
  • At rest — AES-256-GCM for credentials, secrets, and sensitive configuration
  • Session binding — TokenForge ECDSA P-256 device-bound sessions with non-extractable keys
  • API tokens — SHA-256 hashed; raw tokens never stored

4. Data Handling

Agent telemetry, security events, and audit logs are processed on Cloudflare's global network and stored in D1 (SQLite) and R2 object storage. We apply strict data minimization — we collect only what is necessary to operate the platform and deliver security insights.

  • Secrets and API keys are never logged or stored in plaintext
  • Security event logs are retained for 90 days (configurable on Enterprise)
  • Data export and deletion available on request (GDPR Article 17)

5. Infrastructure Security

Our infrastructure is designed for defense in depth:

  • Compute isolation — agent containers run on dedicated Hetzner VMs with seccomp profiles and read-only root filesystems
  • Network segmentation — agent-to-API communication uses gateway tokens with per-instance KV validation
  • Edge security — Cloudflare WAF, DDoS protection, and rate limiting on all endpoints
  • Dependency scanning — automated SAST, SCA, and secret scanning on every commit

6. Compliance

OpenSyber is designed to support compliance with major security frameworks:

  • SOC 2 Type II — audit readiness with continuous control monitoring
  • ISO 27001 — information security management alignment
  • EU AI Act — Section 6 transparency and governance reporting
  • GDPR — data minimization, right to erasure, data portability

7. Incident Response

We maintain a documented incident response plan with defined severity levels:

  • P0 (Critical) — active exploitation or data breach; response within 1 hour, customer notification within 24 hours
  • P1 (High) — exploitable vulnerability; patched within 72 hours
  • P2 (Medium) — non-exploitable risk; addressed in next release cycle
  • Post-incident reviews are conducted for all P0/P1 events with published root cause analysis

8. Contact

For security-related questions or to report a vulnerability, contact us at security@opensyber.cloud.