Security Overview
DevAI Suite handles regulated manufacturing data (APQP, FMEA, PPAP, supplier and operations records) for automotive and aerospace customers. We design and operate the platform with administrative, technical, and organizational safeguards aligned to NIST CSF 2.0 and ISO 27001 control families. This page is the executive overview; the full security white paper covers each control in depth.
1. Compliance & Certifications Roadmap
We're a 2026-founded venture. Where we have in-flight certifications we say so honestly — preparation work is live, third-party audits scheduled.
For the full audit timeline, third-party assessor names, and pre-audit gap evidence, contact security@devaisuite.com.
2. Data Isolation & Multi-Tenancy
Every customer's data lives in a single shared Postgres database, isolated by PostgreSQL Row-Level Security (RLS). Every table that holds customer data has an RLS policy keyed to the request's tenant context; the application layer sets the tenant on every database session via a middleware that's part of the request authentication chain. Cross-tenant SELECTs return zero rows by design, even if the application code has a bug.
RAG document storage is per-tenant: each org's uploaded documents land in object-storage prefixes scoped by org_id. RAG search is bounded by the same tenant context. Embeddings (Voyage AI voyage-3-large, 1024-dim) are stored in pgvector; the embedding read path applies RLS identically.
3. Encryption
In transit: TLS 1.2+ on all customer-facing endpoints. HSTS with includeSubDomains. Strong cipher suites only (AES-GCM and ChaCha20-Poly1305).
At rest: Postgres data is encrypted at rest by the cloud provider's volume-encryption layer. Object storage (Cloudflare R2) encrypts at rest by default. Sensitive integration credentials are envelope-encrypted with a per-deployment Fernet key (DEVAI_CREDENTIALS_ENCRYPTION_KEY); the key is rotated on a documented cadence and never leaves the secret store.
4. Authentication & Access Control
- Identity options: email/password (Argon2id), Google SSO, Microsoft Entra ID SSO. SSO-only users have
NULLpasswords (no password-login fallback). - MFA: TOTP-based, optional per-org-policy and required for the platform-admin role.
- Authorization: Role-based access control with permission rows enforced by every protected route via
ensure_permission. Decisions are recorded to an append-only audit log. - Session tokens: Short-lived JWTs with rotation on sensitive actions. Stored in
HttpOnly; Secure; SameSite=Laxcookies and validated server-side per request. - CAPTCHA: Cloudflare Turnstile gates registration, login, password-reset, and the public demo sandbox.
5. Audit Logging
Security-relevant events are written to an append-only audit table scoped by org: authentication events, role changes, data access for regulated artifacts (PPAP submissions, FMEA edits), AI proposal accept/reject, integration credential changes, sandbox toggle. Logs ship to a centralized aggregator (Sentry breadcrumbs scrubbed for PII; structured logs for ops). Customer admins can request export of their org's audit history via the DSR pipeline.
6. Vendor & Subprocessor Management
We use vetted third-party providers for infrastructure, AI, and email delivery. Each subprocessor is reviewed for data-residency, contract terms (DPA in place), and security posture before onboarding. Changes are notified to customers per the DPA's notification cadence.
The current subprocessor list is published at /subprocessor-list.html and includes Cloudflare (DNS / R2 storage / Turnstile), Fly.io (compute / managed Postgres), Anthropic / OpenAI / Groq (LLM inference; opted-in per org), Voyage AI (embeddings), Stripe (billing), Resend (transactional email), Sentry (error tracking, PII-scrubbed).
7. Secure Software Development Lifecycle
- Branch protection on
main; required reviews on every PR. - Automated CI: type checks, unit + integration test suite (~3,000 tests), schema-drift gate on the OpenAPI spec.
- Dependency monitoring via GitHub Dependabot; security-relevant patches land within 7 days for high-severity advisories.
- Secrets never in code; Fly Secrets store + per-deployment provisioning with
validate_production_configstartup check (refuses to boot on misconfiguration). - Database migrations are reviewed and idempotent; production runs
alembic upgrade headas a release-command pre-flight.
8. Monitoring, Detection & Incident Response
Continuous monitoring covers application errors, infrastructure health (Fly status, Postgres readiness, Redis, R2), and rate-limit anomalies. Sentry integration captures exceptions with PII scrubbing applied at the logging filter. We maintain documented incident-response procedures with tiered severity, escalation paths, status-page communication templates, and post-mortem cadence (see also our escalation runbook). Where legally required for personal-data breaches, customer notification is targeted within 72 hours of confirmed awareness.
9. Disaster Recovery & Business Continuity
Postgres point-in-time backups are retained for 5 days with documented restore procedures and a quarterly restoration rehearsal cadence (last verified: 2026-Q2). RTO target for full-stack restoration is 30 minutes. Object storage is single-region (Cloudflare R2); the global template library is reproducible from source code via the publish_global_library tool. The full DR runbook is internal but available to enterprise customers under NDA.
10. Customer Responsibilities (Shared Model)
Security is shared. Customers are responsible for managing authorized users in their org, protecting credentials, enabling available security settings (MFA, allowed-email-domains), validating AI outputs before relying on them for regulated decisions, and assessing what data they choose to upload.