Product record
Actual surfaces, not borrowed credibility
Inspect the dashboard, monitor detail, incident record, demo workspace, and deliberate failure drill before trusting the product.
Security
Security posture for a launched workflow-monitoring service.
This page summarizes the current public security posture for customers and procurement reviews. It covers the safeguards Luota already operates today, without promising a formal compliance certification.
Control matrix
What is protected, where proof appears, and who owns the control.
Current controls only. No customer logos, certification claims, or hidden enterprise promises are implied by this matrix.
ControlCurrent postureProof surfaceOwner
Control
Account access
Current posture
Scrypt password hashing, hashed reset and verification tokens, session revocation versions, and optional authenticator-app 2FA.
Proof surface
Settings > Security, reset flows, email verification, OAuth link controls.
Owner
Luota app
Control
Workspace boundary
Current posture
Server actions require workspace ownership for by-id mutations; internal API calls require service auth and signed actor context.
Proof surface
Workspace membership checks, audit log, API contract tests.
Owner
Luota app/API
Control
Ingest boundary
Current posture
Monitor-scoped ingest tokens, rotation support, abuse-path rate limits, and trusted proxy client-IP handling.
Proof surface
Monitor Integration tab, docs request examples, token rotation events.
Owner
Luota ingest
Control
Incident evidence
Current posture
Incident timeline, root run, redaction/truncation notes, and durable alert-delivery attempts stay inspectable by workspace.
Proof surface
Incident detail, monitor incidents tab, export/audit surfaces.
Owner
Workspace
Control
Backup and restore
Current posture
Encrypted off-host database backups with scripted freshness checks and restore drills.
Proof surface
Committed ops scripts and production verification runbooks.
Owner
Luota ops
Control
Disclosure path
Current posture
Dedicated security contact and published vulnerability disclosure policy; no formal certification claim.
Proof surface
security@luota.dev, /.well-known/security.txt, disclosure page.
Owner
Founder
Buyer record
Security is one part of the buyer evidence packet.
Luota is pre-customer, so the commercial site shows product behavior, public controls, and buying mechanics directly. No invented testimonials, logo walls, or compliance claims.
Public controls
Controls and limits are public
Review the current security posture, privacy terms, DPA, subprocessor list, disclosure path, and live service status.
Billing state
Buying rules match product limits
Confirm workflow limits, retention, Stripe responsibility, cancellation behavior, and what changes after checkout.
Authentication
Protected account and workspace access
Passwords are hashed with scrypt, password-reset and email-verification tokens are stored as hashes, sessions carry a revocation version, and two-factor authentication is available for account hardening.
Tenant isolation
Workspace checks at the app and API boundary
Server actions verify workspace ownership before by-id mutations, the internal API requires service authentication plus a signed actor context, and database relationships enforce cross-workspace integrity for core resources.
Ingest protection
Monitor-scoped tokens and rate limits
Public ingest routes authenticate monitor-scoped tokens, support token rotation, rate-limit abuse paths, and use trusted proxy client-IP handling so spoofed forwarding headers do not become the identity boundary.
Data protection
Secrets and sensitive channel config are minimized
Ingest tokens are signed, reset and recovery material is hashed, and sensitive alert-channel fields such as webhook URLs, routing keys, SMS numbers, and email recipients are encrypted at rest.
Backups
Encrypted off-host database backups
Production backup and restore-drill procedures are committed ops scripts. Backups are encrypted before upload to Cloudflare R2, and freshness plus restore checks are part of the production verification routine.
Operations
Small, scripted production surface
Deploys, backup checks, restore drills, Sentry canaries, Nginx hardening, Docker builder-cache cleanup, and production smoke checks run through committed scripts rather than ad-hoc shell sessions.
Outbound requests
SSRF-aware webhook and importer fetches
User-configured outbound URLs are restricted to HTTPS, reject credentials, block private and localhost destinations after DNS resolution, and avoid following redirects.
Disclosure
Report vulnerabilities directly
Security reports go to security@luota.dev. Include affected workspace, route or endpoint, reproduction steps, and whether customer data or alert delivery could be impacted.
For data-processing terms and vendor disclosure, use the DPA and subprocessor pages.
Open DPA page