A
AurigaSpecv1.0 · ARCH ISSUED
Sign in
PUB-006 · Trust centre

Trust & security posture

Programmes that depend on AurigaSpec carry confidential OEM IP. Below is what we do to keep it safe and what an OEM IT review board can expect to verify on Day 1.

Certifications & audits

SOC 2 Type IIn progress · auditor engaged in P0
SOC 2 Type IITargeted 9–12 months post-GA (P5)
ISO 27001Roadmap · post-GA
Pentest (annual)Scheduled before GA

Security architecture

  • • TLS 1.3 only · HSTS · mTLS service-to-service
  • • Postgres TDE · per-tenant KMS key · S3 SSE-KMS
  • • Schema-per-tenant + Row-Level Security (defence-in-depth, ADR-0002)
  • • Argon2id password hashing · WebAuthn passkeys · MFA mandatory for admin/safety/cyber
  • • HashiCorp Vault for secrets · per-tenant LLM API keys
  • • OpenTelemetry traces · audit log on append-only WORM-archived tables
  • • SBOM (CycloneDX) signed with Sigstore cosign

Reporting a vulnerability

Email security@aurigaspec.com · PGP key on the legal page · 60-minute internal SLA for triage.