Security Architecture

Security is a foundational principle in Datalinx AI's design. This document outlines the security controls, encryption mechanisms, and practices that protect your data.

Security Principles

Defense in Depth

Multiple layers of security controls protect data at every level:

Fail-Fast Design

The platform is designed to fail safely rather than expose sensitive information:

No fallback values: Missing configuration causes immediate failure, not silent defaults
Generic error messages: User-facing errors never expose internal details
Secure logging: Stack traces logged internally, not returned to clients

Authentication

User Authentication

Multiple authentication methods are supported:

Method	Use Case
Username/Password	Standard user login
SSO/SAML	Enterprise identity providers
OAuth 2.0	Third-party integrations
API Keys	Programmatic access

Session Management

# Sessions are secure by default
session_config = {
    "cookie_secure": True,        # HTTPS only
    "cookie_httponly": True,      # No JavaScript access
    "cookie_samesite": "strict",  # CSRF protection
    "session_lifetime": 3600,     # 1 hour timeout
    "refresh_enabled": True       # Automatic token refresh
}

API Key Authentication

API keys provide secure programmatic access:

# API key in request header
curl -H "Authorization: Bearer dlx_sk_live_..." \
     https://api.datalinx.ai/v1/workspaces

Key properties:

Scoped to workspace: Keys limited to specific workspace
Revocable: Instantly disable compromised keys
Audited: All API key usage logged

Authorization

Role-Based Access Control (RBAC)

Permissions are organized into roles:

roles:
  organization_admin:
    - users:manage
    - workspaces:create
    - workspaces:delete
    - billing:manage

  workspace_editor:
    - mappings:create
    - mappings:edit
    - pipelines:run
    - sources:view

  workspace_viewer:
    - mappings:view
    - pipelines:view
    - sources:view

Permission Enforcement

Every API endpoint enforces permissions:

@router.post("/api/mapper/mappings")
async def create_mapping(request: Request, data: MappingCreate):
    # Permission check happens before any business logic
    user = await get_current_user(request)
    workspace = await get_workspace(request)

    if not user.has_permission("mappings:create", workspace):
        raise HTTPException(status_code=403, detail="Insufficient permissions")

    return await mapping_manager.create(data)

Data Encryption

Encryption at Rest

All stored data is encrypted:

Data Type	Encryption Method
Database	AES-256 (PostgreSQL TDE)
Object Storage	AES-256 (S3 SSE)
Credentials	AES-256-GCM with key rotation
Backups	Same as source + additional layer

Encryption in Transit

All network communication uses TLS 1.3:

# TLS configuration
tls:
  min_version: TLSv1.3
  ciphers:
    - TLS_AES_256_GCM_SHA384
    - TLS_CHACHA20_POLY1305_SHA256
  certificate_rotation: automatic

Credential Management

Source credentials are encrypted with workspace-specific keys:

class CredentialManager:
    def encrypt_credentials(self, workspace_id: str, credentials: dict) -> str:
        # Derive workspace-specific key
        key = derive_key(master_key, workspace_id)

        # Encrypt with AES-256-GCM
        nonce = secrets.token_bytes(12)
        cipher = AESGCM(key)
        ciphertext = cipher.encrypt(nonce, json.dumps(credentials).encode(), None)

        return base64.b64encode(nonce + ciphertext).decode()

Secure Error Handling

User-Facing Errors

Error messages shown to users are always generic:

# CORRECT: Generic message, details logged internally
try:
    result = await database.query(sql)
except Exception as e:
    logger.error(f"Database query failed: {e}", exc_info=True)
    raise SystemOperationException("Failed to retrieve data")

# WRONG: Never expose internal details
try:
    result = await database.query(sql)
except Exception as e:
    raise SystemOperationException(f"Query failed: {str(e)}")  # Exposes SQL!

What Is Never Exposed

Database connection strings
Internal file paths
API keys or tokens
SQL queries
Stack traces
Third-party service details

Network Security

Infrastructure Protection

Network Policies

Database: Only accessible from application servers
Redis/Cache: Internal network only
Object Storage: Private endpoints, no public access
API Endpoints: Rate-limited and WAF-protected

Audit Logging

What Is Logged

All security-relevant events are captured:

{
  "event_type": "authentication.login",
  "timestamp": "2024-01-15T10:30:00Z",
  "user_id": "user_123",
  "organization_id": "org_456",
  "ip_address": "192.168.1.1",
  "user_agent": "Mozilla/5.0...",
  "result": "success",
  "mfa_used": true
}

Audit Categories

Category	Events
Authentication	Login, logout, password change, MFA events
Authorization	Permission changes, role assignments
Data Access	Source connections, data exports
Configuration	Mapping changes, pipeline modifications
Administration	User management, workspace operations

Log Retention

Active logs: 90 days in hot storage
Archived logs: 7 years in cold storage
Tamper protection: Write-once storage with integrity verification

Security Best Practices

For Developers

Never log credentials: Use redaction for sensitive fields
Validate all input: Never trust user-provided data
Use parameterized queries: Prevent SQL injection
Handle errors securely: Generic messages only

# Secure input validation
def validate_workspace_name(name: str) -> str:
    if not name or len(name) > 100:
        raise ValidationException("Invalid workspace name")
    if not re.match(r'^[a-z0-9_-]+$', name):
        raise ValidationException("Workspace name contains invalid characters")
    return name

For Administrators

Enable MFA: Require for all admin accounts
Regular access review: Remove unused accounts
Monitor audit logs: Set up alerts for suspicious activity
Rotate credentials: API keys, database passwords

For Users

Strong passwords: Use password manager
Enable MFA: Add extra protection
API key hygiene: Rotate keys regularly, use minimal scopes
Report suspicious activity: Contact security team immediately

Compliance

Certifications

Datalinx AI is designed to support compliance with:

SOC 2 Type II: Security, availability, and confidentiality
GDPR: Data protection and privacy
CCPA: California consumer privacy
HIPAA: Healthcare data (with BAA)

Data Processing Agreements

Enterprise customers receive:

Data Processing Agreement (DPA)
Subprocessor list
Security whitepaper
Penetration test results

Incident Response

Security Incident Process

Detection: Automated monitoring and alerting
Containment: Isolate affected systems
Investigation: Forensic analysis
Remediation: Fix vulnerabilities
Notification: Inform affected customers
Post-mortem: Document lessons learned

Reporting Security Issues

Contact security@datalinx.ai for:

Vulnerability reports
Security questions
Compliance inquiries

Multi-Tenancy - Tenant isolation
Architecture Overview - System design
Service Accounts - Programmatic access

Security Principles​

Defense in Depth​

Fail-Fast Design​

Authentication​

User Authentication​

Session Management​

API Key Authentication​

Authorization​

Role-Based Access Control (RBAC)​

Permission Enforcement​

Data Encryption​

Encryption at Rest​

Encryption in Transit​

Credential Management​

Secure Error Handling​

User-Facing Errors​

What Is Never Exposed​

Network Security​

Infrastructure Protection​

Network Policies​

Audit Logging​

What Is Logged​

Audit Categories​

Log Retention​

Security Best Practices​

For Developers​

For Administrators​

For Users​

Compliance​

Certifications​

Data Processing Agreements​

Incident Response​

Security Incident Process​

Reporting Security Issues​

Related Documentation​