Defense in depth,
by contract.
Every SwarmStack control is named, enforced in code or CI, and documented here. This page is for the security team running the vendor review — the marketing summary lives on /trust.
HSTS, no plaintext fallback. Certificate transparency monitored.
FORCE row-level security on every domain table. CI fails the build if missing.
No direct pushes to main. Lint + type + RLS gate + smoke + unit + integration on every PR.
What we defend against — and what we don't.
Honest about scope. SwarmStack's M1 threat model focuses on the attacks that target a multi-tenant AI planning platform with paid human Participants. Out-of-scope items are listed too.
Cross-tenant data leak
Mandatory row-level security on every domain table, application role cannot bypass it, CI fails the build if any table is missing the policy. Cross-tenant pgTAP smoke runs every PR.
Prompt-injection exfiltration
All Participant-authored text is wrapped in an <untrusted_participant_content> envelope before any model sees it. Orchestrator system prompt refuses instructions inside the envelope. An output filter rejects synthesized text matching instruction-to-system patterns.
MCP token theft / replay
HMAC-signed JWT bearers scoped to one tenant + participant + session, short-lived, re-checked per request. Suspension is effective within seconds via a per-request users.suspended_at check. No denylist needed.
SME social engineering
SMEs see only the Brief, their own assigned Task, and the orchestrator-synthesized plan — never other Participants' raw contributions. KYC via Stripe Connect Express. Suspension propagates within seconds.
Webhook spoofing
Stripe and Resend webhooks are signature-verified. Replays are idempotent against scheduled_actions rows. Unsigned or malformed payloads return 401 before any handler dispatches.
Side-effect loss on restart
Every async side effect (email, payment call, payout, timeout) runs through the scheduled_actions table claimed by atomic CAS. setTimeout / setInterval are forbidden for anything that must outlive the process.
Targeted nation-state attack
Out of scope for our M1 threat model. We will cooperate with sophisticated buyers' security programs (network segmentation, dedicated tenants on Enterprise) but do not warrant against nation-state adversaries.
Compromise of the customer's own device
Out of scope. If a Creator's laptop or OAuth provider is compromised, the attacker can act as them within Session permissions. Encourage hardware-backed MFA and OAuth provider hygiene; we cannot enforce it.
Five layers, one transaction per request.
TLS 1.3 everywhere
Vercel and Fly terminate TLS 1.3. HSTS, no plaintext fallback. Certificate transparency monitored.
Per-request RLS
Every handler opens one Postgres transaction and runs SET LOCAL app.tenant_id before any query. Lint-enforced.
Forced RLS + AES-256
21 domain tables, FORCE row-level security, AES-256 at rest. Column-level encryption for Brief and SwarmPlan on Business+.
Atomic side effects
Only the scheduler calls external APIs. Claims are atomic CAS; retries are idempotent on the action id.
Append-only log
audit_events is INSERT-only, retained ≥1 year. Customer can read their own log; we cannot UPDATE or DELETE.
Detail in the spec: docs/swarmstack-spec.md §6, §16. Architecture diagram available under NDA.
Every control, what enforces it, where it ships.
| Domain | Control | Status |
|---|---|---|
| Access control | Production access is named, MFA-required, ticketed, and audited to an immutable channel. No shared admin role. RLS applies to employees the same way it applies to tenants. | Shipped |
| Authentication | Auth.js (Google + GitHub OAuth). HMAC-signed JWTs for MCP. OAuth state persisted in Postgres so it survives restarts. Email-binding check on Invite acceptance prevents forwarded-link attacks. | Shipped |
| Encryption — transit | TLS 1.3 between every component. HSTS. No plaintext or mixed-content fallback. | Shipped |
| Encryption — at rest | AES-256 at the volume level (Fly Postgres). Column-level encryption for Brief and SwarmPlan (Business+, CMEK). | Business+ tier |
| Data isolation | tenant_id on every domain row. ENABLE + FORCE ROW LEVEL SECURITY on every domain table. App role is non-superuser. CI gate fails the build on missing policy. | Shipped |
| Audit & monitoring | Append-only audit_events with ≥1y retention. Structured request logs (no PII in log lines). Per-tenant Datadog dashboards on Business+. | Shipped |
| Product analytics | PostHog for product analytics (ADR-0009). Client events carry a visitor id, first-touch UTM, and device context; on sign-in the anonymous device person is merged onto the user, keyed by user id. Server-side capture rides the domain-event bus after commit, grouped by tenant. Session content (Briefs, messages, plan/Task text) is never sent to analytics — only scalar dimensions (ids, roles, statuses). | Shipped |
| Vulnerability management | Dependency scanning (GitHub Dependabot + npm audit) on every PR. Quarterly third-party penetration test. SAST run on every push. | Pen test Q3 2026 |
| Secure SDLC | Two-person review on all merges to main. Required CI passes (lint, type-check, RLS gate, pgTAP smoke, full unit + integration suites). No direct pushes to main. | Shipped |
| Backup & DR | Hourly Postgres backups with 30d retention. Tested restore drill quarterly. RPO 1h, RTO 4h on shared tier; lower available on Enterprise. | Shipped |
| Supply chain | Pinned dependencies; lockfile committed; reproducible builds; SBOM published with each release. Signed Docker images. | Shipped |
| Incident response | Documented runbook for Sev-1 (data exposure, cross-tenant leak, healthcare/legal slip-through). On-call rotation. Customer notice within 24h of confirmed incident. | Shipped |
| Compliance | SOC 2 Type II observation window in progress (opened Q1 2026). ISO 27001 on the roadmap. GDPR + CCPA compliant by design. | In progress |
Severities, triage times, customer notice.
| Severity | Examples | Triage SLA | Customer notice |
|---|---|---|---|
| Sev-1 | Cross-tenant data exposure, healthcare/legal slip-through, prod outage > 30min | Within 1 hour | Customer notice within 24h |
| Sev-2 | Single-tenant impact, payment processing failure, partial outage | Within 4 hours | Customer notice within 48h |
| Sev-3 | Degraded performance, non-blocking bug | Within 1 business day | Resolved in changelog |
Sev-1 healthcare/legal slip-through has an additional auto-suspend path: profile suspension within seconds, deletion within 24 hours. See docs/swarmstack-spec.md §22.4.
Bring us the bug. We'll bring you safe harbor.
How to report
Email security@swarmstack.io with a description, reproduction steps, and any logs or traces. PGP key available on request. We acknowledge within 24h and aim to triage within 72h.
A public bug-bounty program is on the roadmap. Until then, individual rewards are at our discretion and we credit researchers in our changelog if you'd like.
Safe harbor
Good-faith research that:
- Targets only the trust_probe sandbox tenants, your own tenant, or accounts you control.
- Does not exfiltrate data beyond the minimum needed to demonstrate the bug.
- Does not degrade service for other customers.
- Gives us a reasonable disclosure window (default 90 days).
… will not result in legal action from us. Coordinated disclosure is the norm; surprise full-disclosure is not.
Security questionnaire, DPA, or pen-test letter?
Standard vendor-security packets turn around in two business days. Custom regulated-buyer questionnaires take about a week.