Skip to Content
SupportPlatform
SecurityInfrastructure

Security

Infrastructure

How Introspection secures data at the infrastructure level.

Encryption

In Transit

All traffic uses TLS 1.2 or higher. This includes:

  • SDK to ingest endpoint (OTLP over HTTPS)
  • Inter-service communication
  • Database and cache connections (sslmode=require for PostgreSQL, transit encryption for Redis/Valkey)

At Rest

All storage is encrypted with customer-managed keys (CMEK) on enterprise plans, or provider-managed keys on managed plans:

  • Databases (PostgreSQL, ClickHouse)
  • Caches (Redis / Valkey)
  • Object storage (S3 / GCS / Azure Blob)
  • Kubernetes secrets and persistent volumes

Key rotation is automatic on a 90-day cycle.

Field-Level Encryption

Sensitive fields (API keys, tokens, credentials) use application-level encryption scoped to the organization. Database columns store only encrypted bytes — plaintext is never written to disk.

Networking

  • No public endpoints. Databases, caches, and internal services are accessible only through private networking (VPC peering, private subnets, private DNS zones).
  • Egress control. Sandboxed workloads use domain whitelisting and egress restrictions.
  • Multi-cloud. AWS, GCP, and Azure deployments follow the same security posture across 16+ regions.

Identity and Access

Workload Identity

Services authenticate using cloud-native workload identity — no exported service account keys:

  • AWS: IAM Roles for Service Accounts (IRSA) via EKS OIDC
  • GCP: Workload Identity Federation
  • Azure: Managed Identity + Workload Identity Federation

IAM

All IAM roles follow least-privilege principles. No broad roles (roles/owner, roles/editor) are used. Each workload gets scoped permissions for only the resources it needs.

Application Auth

  • OIDC / JWT-based authentication
  • Three-tier RBAC: Owner, Admin, Member
  • 20+ fine-grained permission scopes

Container Security

All workloads run with hardened security contexts:

  • Non-root execution
  • Read-only root filesystem
  • No privilege escalation
  • All Linux capabilities dropped
  • CPU and memory limits enforced
  • Liveness and readiness probes on every service

Sandbox Isolation

Agent workloads run in ephemeral containers with:

  • Scoped access to only the resources they need
  • Egress domain whitelisting
  • Automatic cleanup after execution
  • No persistent state between runs

API Key Security

API keys are hashed with SHA-256 before storage. Inter-service lookups transmit only the hash. The full key is stored encrypted (field-level encryption) only in the control plane for the “reveal key” feature.

Last updated on
OverviewData Handling