Security at SpaceTime Industries

Last updated: June 2026

Security is not an afterthought at SpaceTime Industries — it is foundational to everything we build. Sentinel OS processes sensitive threat intelligence data for critical infrastructure operators and government agencies. This page describes how we protect that data and the systems that handle it.

1. Security Architecture

Multi-Tenant Isolation

Sentinel OS is designed with strict tenant isolation at every layer of the stack. Each customer organization operates in a logically isolated environment:

• Tenant identifiers are cryptographically verified on every API request
• Database queries are scoped to the authenticated tenant — cross-tenant queries are architecturally impossible at the data access layer
• Object storage (S3-compatible) uses tenant-scoped prefixes with IAM policy enforcement
• Vector and document indices in ZeroDB are partitioned by tenant namespace

Role-Based Access Control (RBAC)

Access within an organization is controlled by RBAC:

• Roles include: Admin, Analyst, Viewer, and API-Only
• Each role has explicit permission grants for read, write, and admin actions
• Permission changes are audit-logged with timestamp and actor identity
• Principle of least privilege is enforced by default — new users receive Viewer access until explicitly elevated

JWT RS256 Token Authentication

All API and dashboard sessions are protected by JSON Web Tokens signed with RS256 (RSA + SHA-256):

• Asymmetric key pairs — private keys are stored in hardware-backed key management, never exposed
• Access tokens have short TTLs (15 minutes for dashboard sessions, configurable for API keys)
• Refresh tokens are rotated on use and invalidated on logout or suspicious activity
• Token revocation lists are checked on every request

2. Authentication

Password Security

• Passwords are hashed using bcrypt with a minimum cost factor of 12
• Plaintext passwords are never stored, logged, or transmitted
• Minimum password requirements: 12 characters, mixed case, number, and symbol
• Common password lists are checked at registration and password change

Multi-Factor Authentication (MFA)

• TOTP-based MFA (compatible with Google Authenticator, Authy, 1Password) is available to all users
• MFA is mandatory for Admin roles and strongly recommended for all users
• Enterprise customers can enforce organization-wide MFA policies

Single Sign-On (SSO)

Professional and Enterprise plans support SSO via:

• Google Workspace (OAuth 2.0 / OpenID Connect)
• Microsoft Entra ID / Azure AD (OAuth 2.0 / SAML 2.0)
• Okta (SAML 2.0 and OIDC)
• Generic SAML 2.0 providers (Enterprise only, custom configuration)

SSO sessions respect your identity provider’s session policies. Account provisioning and de-provisioning can be automated via SCIM 2.0 for Enterprise customers.

API Keys

• API keys are generated with cryptographically secure randomness (256-bit entropy)
• Keys are hashed before storage — we cannot retrieve your plaintext key after creation
• Keys can be scoped to specific permissions (read-only, specific endpoints)
• Key usage is logged and visible in your account dashboard
• Keys can be revoked instantly from the dashboard or API

3. Data Protection

ZeroDB — Vector and Document Storage

Sentinel OS uses ZeroDB for vector embeddings, semantic search, and document storage. ZeroDB applies encryption at the storage layer using AES-256-GCM. Tenant data is partitioned by namespace with strict access controls enforced at the API level.

S3-Compatible Object Storage

Raw data, threat intelligence exports, and long-term archives are stored in S3-compatible object storage with:

• Server-side encryption (SSE) using AES-256
• Bucket-level access policies enforcing tenant isolation
• Versioning enabled for data recovery
• Lifecycle policies for automated data retention compliance

Audit Logging

All security-relevant events are captured in immutable audit logs:

• Authentication events (login, logout, MFA, SSO, failed attempts)
• API key creation, rotation, and revocation
• Role and permission changes
• Data access and export events
• Alert rule modifications and incident actions
• Administrative operations by SpaceTime staff (restricted and logged)

Audit logs are retained for a minimum of 12 months (24 months for Enterprise) and are available for export from your dashboard.

4. Network Security

• HTTPS everywhere: All endpoints enforce HTTPS. HTTP connections are automatically redirected. HSTS headers are set with long max-age values.
• TLS 1.3: Minimum TLS version enforced across all services. TLS 1.0 and 1.1 are disabled. Strong cipher suites only.
• CORS: Cross-Origin Resource Sharing is configured to allow only approved origins. Wildcards are never used on authenticated endpoints.
• Rate limiting: Per-tenant and per-IP rate limits are enforced at the API gateway. Burst limits prevent denial-of-service from misbehaving clients.
• DDoS protection: Network-level DDoS mitigation is provided at the infrastructure layer.
• WAF: A Web Application Firewall filters malicious traffic patterns including SQL injection, XSS, and known exploit signatures.
• IP allowlisting: Enterprise customers can restrict API access to specific IP ranges or CIDR blocks.

5. Vulnerability Management

Dependency Scanning

All production dependencies are continuously scanned for known vulnerabilities using automated tools integrated into our CI/CD pipeline. Critical and high-severity vulnerabilities trigger immediate alerts and remediation workflows.

Security Patches

We maintain a security patch SLA:

• Critical vulnerabilities (CVSS 9.0+): Patched within 24 hours
• High vulnerabilities (CVSS 7.0–8.9): Patched within 7 days
• Medium vulnerabilities (CVSS 4.0–6.9): Patched within 30 days

Penetration Testing

SpaceTime Industries conducts annual third-party penetration testing of the Sentinel OS platform. Findings are remediated based on severity. Enterprise customers may request access to test summary reports under NDA.

Secure Development

• Security-focused code review is required for all pull requests touching authentication, authorization, or data access
• SAST (Static Application Security Testing) is run automatically in CI
• Secrets are never committed to version control — enforced by pre-commit hooks and secret scanning
• Infrastructure is defined as code and changes require peer review

6. Compliance

SOC 2 Type II (In Progress)

SpaceTime Industries is actively pursuing SOC 2 Type II certification covering Security, Availability, and Confidentiality trust service criteria. Our audit period begins Q3 2026. Enterprise customers requiring compliance documentation should contact legal@usesentinel.io.

GDPR Readiness

Sentinel OS is designed with GDPR compliance in mind:

• Data Processing Agreements (DPAs) available for EU customers
• Data subject request workflows (access, portability, deletion) are supported
• Privacy-by-design principles applied to all new features
• Data retention policies are configurable and enforced

Data Residency

Enterprise customers with data residency requirements can request EU or US data residency. Data residency configurations ensure that your Customer Data remains within your specified region. Contact sales for availability and pricing.

7. Incident Response

SpaceTime Industries maintains a formal incident response program to detect, contain, and remediate security incidents:

Detection and Alerting

• PagerDuty: On-call rotation for security incidents with escalation policies and SLA-based response targets
• Slack: Real-time security alerts delivered to our internal incident response channel with automated triage
• Email alerting: Automated notifications for critical threshold breaches, anomalous access patterns, and system health issues

Response Process

• Incidents are classified by severity (P0–P4) with defined response time SLAs
• A dedicated incident commander is assigned for P0 and P1 incidents
• Post-incident reviews (PIRs) are conducted for all P0 and P1 incidents
• In the event of a security breach affecting customer data, we will notify affected customers within 72 hours of discovery, as required by GDPR and applicable breach notification laws

8. Responsible Disclosure

We believe that working with security researchers improves the security of our platform for everyone. If you have discovered a security vulnerability in Sentinel OS or any SpaceTime Industries system, we encourage responsible disclosure.

Disclosure Guidelines

When reporting a vulnerability, please:

• Provide sufficient detail to reproduce the issue (steps, environment, proof of concept)
• Avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the issue
• Do not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate it (we request a 90-day coordinated disclosure window)
• Do not perform destructive testing or denial-of-service attacks

Researchers who follow these guidelines will receive our cooperation and recognition. We do not pursue legal action against researchers acting in good faith.

9. Bug Bounty

Questions About Security

For security questions, compliance documentation requests, or to report a vulnerability: