Security

Key Points

• Security Practices: Encryption of data, rigorous access controls, MFA, and adherence to secure coding standards are core to our approach.
• Audits & Pentesting: Upcoming security audits and comprehensive penetration testing underpin our commitment to security.
• Recommendation: We strongly recommend using the latest version of Admyral to receive all security updates (view here how to update).
• Disclosure & Patching: We encourage responsible vulnerability disclosure via chris@admyral.dev. Our team is committed to prompt investigation and remediation. More information below.

For detailed security information or to report issues, contact us at chris@admyral.dev or on Discord (opens in a new tab).

Public Vulnerability Disclosure Policy

If you discover a security vulnerability or issue within Admyral, please help us by reporting it responsibly. We kindly ask you to follow these guidelines:

• Do Not Publicly Disclose: Please do not disclose the vulnerability publicly or to any third party. This helps us mitigate potential harm to our users while we investigate and address the issue.

• Contact Us Directly: Email us at chris@admyral.dev or message us directly on Discord (opens in a new tab). Please provide a detailed description of the issue, including how it can be reproduced, and any other information that might be helpful for our investigation.

We appreciate your support in making Admyral safer for everyone. Upon confirmation of the vulnerability and completion of its resolution, we acknowledge the contributions of responsible reporters in our Hall of Fame, unless anonymity is requested.

Data Encryption

• In Transit: All data exchanged with our services is encrypted using TLS 1.2 or above.
• At Rest: We encrypt sensitive data stored on our servers using AES-256 (See Supabase Security (opens in a new tab)).

Authentication and Credentials

• User Authentication: We implement user authentication using Supabase Auth (SOC2 Compliant) which uses Json Web Tokens (JWT) and stores the data securely in a PostgreSQL database. Currently, we provide Email with Password as well as OAuth 2.0 with Google, Microsoft, and GitHub authentication. SSO via SAML 2.0 as well as MFA are available on request.
• APIs: API requests require the inclusion of a JWT in the Authorization header. The backend validates the JWT and verifies that the user ID exists in the database, ensuring secure access control for API endpoints.
• Webhooks: For webhook security, each workflow has a unique secret generated using HS256. To trigger a workflow via a webhook, the user must include this secret. This signature verification ensures that only authorized users can trigger workflows.
• Credentials: Additionally to encryption at rest, credentials are encrypted using AES-256 GCM on application-level before they are persisted in our Postgres database.

We're dedicated to maintaining the highest level of security. For further details or immediate concerns, reach out to us directly via chris@admyra.dev or on Discord (opens in a new tab).