Skip to content
← Legal

Security Policy

Effective: Last updated:

This Security Policy summarizes the technical and organizational measures Fimil, Inc. uses to protect the Service and your data. It describes our current posture in good faith. For the controls we publish in more detail, and for security questionnaires, see our Trust Center.

1. Infrastructure

The Service runs on managed Kubernetes at DigitalOcean (San Francisco region). Application and database traffic is served over TLS, and our website and application are fronted by Cloudflare for content delivery and edge protection. Certificates are issued and renewed automatically via Let’s Encrypt. Production is currently a single-region deployment; multi-region failover and Redis high availability are planned.

2. Encryption

  • In transit — TLS 1.2 or higher on external connections, with HSTS enabled.
  • At rest — the managed database is encrypted at rest by the provider. In addition, we apply application-layer encryption (Fernet — AES-128-CBC with HMAC-SHA256 authentication) to sensitive fields such as integration OAuth tokens, cloud and target credentials, and MFA secrets. Encryption keys support versioned rotation (MultiFernet).

3. Authentication and access control

  • Passwords are hashed with Argon2id (legacy bcrypt hashes are verified and transparently upgraded on login).
  • Multi-factor authentication (TOTP) with recovery codes is available; secrets are stored encrypted.
  • Account protection — failed-login monitoring with account lockout and automated brute-force/credential-stuffing detection and IP blocking.
  • API tokens are stored only as SHA-256 hashes and shown once at creation.
  • SSO — OAuth2/OIDC federation is supported for customer single sign-on (GitHub, GitLab, Bitbucket).
  • Authorization — role-based access control is enforced at the API, with tenant-level data isolation. Privileged and support actions, including support impersonation, are time-limited and fully audit-logged.

4. Scanner and agent execution isolation

Scanner workloads run in hardened, isolated environments: no network access (--network=none), all Linux capabilities dropped, privilege escalation disabled, source mounted read-only, and strict CPU/memory/time limits. Application pods run as non-root with read-only root filesystems, dropped capabilities, and a default seccomp profile. Kubernetes network policies restrict pod-to-pod traffic, and Falco provides runtime security monitoring with custom detection rules and container-image-drift detection.

The autonomous penetration-testing agent operates within a scope guard that blocks requests outside your authorized allowlist (including cloud-metadata and private-network addresses) and records an immutable audit trail of its activity.

5. Secure development and supply chain

Our CI pipeline enforces linting, type checking, automated testing, SAST (Semgrep, Bandit), and container-image scanning (Trivy), and Fimil scans its own repositories through the platform. Dependencies are pinned via lockfiles with Dependabot updates. Container images are built with provenance attestation, SPDX SBOMs, and Cosign signing. Production secrets are managed as sealed secrets and never committed to source control.

6. Backups and business continuity

We take nightly backups with offsite storage and have documented restore procedures targeting a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 24 hours. A disaster-recovery restore test has been completed, and we test on a semi-annual cadence.

7. Logging, monitoring, and incident response

Security-relevant events are recorded in audit logs with full attribution (actor, tenant, IP, user-agent, request ID). We maintain a documented incident-response plan with defined severity levels and escalation steps, and breach-notification procedures aligned to GDPR (72-hour) and CCPA timelines.

8. Compliance status

We maintain a comprehensive internal policy suite and map our controls to frameworks including SOC 2, ISO 27001:2022, NIST CSF, CIS Controls, GDPR, and CCPA/CPRA. These programs are in progress and have not yet been independently audited or certified, and an external penetration test and independent audit are planned but not yet completed. Current status by framework is published on our Trust Center. We will update our claims as certifications are obtained.

9. Reporting a vulnerability

We welcome responsible disclosure. If you believe you have found a security vulnerability in the Service, please report it to security@fimil.dev. We aim to acknowledge reports within 48 hours. Please do not publicly disclose an issue until we have had a reasonable opportunity to remediate it, and do not access or modify data that is not yours while testing.