Security at NonaGuard

• AES-256 encryption for all Odoo credentials at rest
• Per-credential encryption with unique random salts
• TLS 1.3 enforced for all data in transit
• HTTPS-only access with HSTS preload headers (2-year max-age)
• Encryption keys managed separately from application secrets (dual-key architecture)
• Credentials decrypted only in-memory during scan execution, never written to logs

• Firestore security rules enforce document-level access control per organization
• Every API request validates organization membership before returning data
• No cross-tenant data access is possible, even for internal services
• Scan results, credentials, and configurations are scoped to organization IDs
• Account deletion triggers a full data purge across Firestore, Firebase Auth, and Stripe

• Firebase Authentication with mandatory email verification
• Role-based access control: Owner, Admin, and Member roles per organization
• JWT token validation on every API request via Firebase Admin SDK
• Token-based API authentication for programmatic access
• Rate limiting and domain-based signup throttling to prevent brute force and abuse

• Docker containers run as non-root users with read-only filesystems
• Network isolation between application, worker, and cache services
• Redis secured with authentication and dangerous commands (FLUSHALL, DEBUG, KEYS) disabled
• Caddy reverse proxy with automatic TLS certificate provisioning via Let's Encrypt
• SSRF protection: all scan targets validated against IANA private IP ranges
• Content Security Policy (CSP) headers on all responses
• Zero-downtime deployments with rolling restarts and health checks

• BYOK model: you provide your own API key for OpenAI, Google, or Anthropic
• Scan data is sent to YOUR chosen AI provider only when YOU request insights
• Only aggregated module metadata is shared (names, scores, risk counts) — never raw Odoo data
• NonaGuard never stores AI API keys in plaintext — AES-256 encrypted at rest
• API keys are validated before saving to ensure they are functional
• No AI provider has persistent access to your data

• HMAC-SHA256 signed webhook requests prevent tampering and replay attacks
• Token-based authentication with SHA-256 hashed storage — plaintext tokens are never persisted
• No inbound ports required on your Odoo server; the connector pushes data outbound only
• Heartbeat mechanism with automatic retry and configurable intervals
• Idempotent webhook processing prevents duplicate data submission

We are actively working toward SOC 2 Type II certification. Our infrastructure and data handling practices are designed with SOC 2 trust principles in mind — including security, availability, processing integrity, confidentiality, and privacy. NonaGuard has not yet obtained SOC 2 Type II certification. All architectural decisions documented on this page reflect our commitment to meeting these standards.

If you believe you have found a security vulnerability in NonaGuard, we encourage responsible disclosure. Please report it to security@hexalian.com with a detailed description of the issue, steps to reproduce, and any supporting evidence. We will acknowledge receipt within 48 hours and work with you to understand and address the vulnerability promptly.