Steadybase
Security & Trust

Data Protection

Encryption, memory isolation, secrets management, and data handling practices.

Data Protection

How Steadybase protects data at rest, in transit, and during processing.

Encryption

In Transit

  • TLS 1.2+ enforced on all connections via nginx
  • Let's Encrypt certificates with automatic renewal
  • HSTS headers prevent protocol downgrade attacks
  • WebSocket connections use WSS (TLS-encrypted)

At Rest

  • Temporal Cloud encrypts workflow data at rest
  • Memory entries stored within Temporal's durable state (encrypted by Temporal Cloud)
  • Server-side configuration files have restricted permissions (600)

Secrets

Current secrets management uses environment variables in .env files with restricted file permissions:

.env file permissions: 600 (owner read/write only)
.env.backup: removed
nginx blocks: /.env, /.git, /node_modules

:::warning Environment-based secrets management is a known limitation. Migration to AWS Secrets Manager is planned for Phase 2. :::

Secrets Manager Migration Plan

The following secrets are planned for migration to AWS Secrets Manager:

SecretCurrent LocationTarget
TEMPORAL_TLS_CERT.env (Base64)AWS Secrets Manager
TEMPORAL_TLS_KEY.env (Base64)AWS Secrets Manager
VAPI_API_KEY.envAWS Secrets Manager
SLACK_BOT_TOKEN.envAWS Secrets Manager
SLACK_SIGNING_SECRET.envAWS Secrets Manager
JWT signing key.envAWS Secrets Manager
Invite codes.envAWS Secrets Manager

Memory Isolation

Per-User Chat Isolation

Each user's Brain chat history is isolated — users can only see and access their own conversations. Chat history is scoped by the authenticated user's identity.

Memory Scope Isolation

The hierarchical memory system enforces scope boundaries:

  • Organization memories are readable by all authenticated users
  • Team memories are scoped to the user's team
  • Worker memories are scoped to the specific worker
  • Session memories exist only during the active session

Prompt Injection Defense

AI interactions include prompt injection defenses:

  • System prompts include injection detection instructions
  • User input is treated as untrusted data, never as system instructions
  • Output is sanitized before storage in memory

Audit Logging

Security-relevant operations are logged:

  • Authentication attempts (success and failure)
  • API access with timestamps and user identity
  • Worker actions and workflow executions
  • Memory writes and deletions
  • Administrative operations

:::note Audit logs are currently stored locally. Migration to CloudWatch is planned for centralized, tamper-resistant logging. :::

Data Retention

Data TypeRetentionNotes
Chat historySession-basedClearable via API
Worker memoryIndefinite (with compression)Pinned entries never expire
Workflow historyTemporal Cloud retention policyConfigurable per namespace
Audit logs90 days (local)Moving to CloudWatch
Deal dataIndefiniteCRM sync

Previous

Authentication

Next

Infrastructure Security

On this page