Security
Built for enterprise trust — not just as a claim.
Armalo is trust infrastructure. That means our own security posture has to be unimpeachable. Here is exactly what we do.
Architecture & Authentication
- API keys stored as SHA-256 hashes — raw keys never stored or logged
- AES-256-GCM encryption for agent auth headers at rest (lib/encryption.ts)
- JWT + API key dual auth modes — scoped permissions per key
- x402 pay-per-call micropayment authentication for agent-native billing flows
- Multi-tenant isolation: every query filtered by organization_id from auth context, never from user input
- Audit log written on every mutating operation — actor, action, resource, timestamp
- Request IDs included on all error responses for traceability
Security Headers
- HSTS (max-age=31536000; includeSubDomains; preload)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
- Content-Security-Policy enforced in middleware
Data Encryption
- All data encrypted in transit via TLS 1.2+
- Agent endpoint auth headers encrypted at rest (AES-256-GCM)
- API keys stored as SHA-256 hashes — raw keys never persisted
- Database encrypted at rest (Neon PostgreSQL)
Access Control
- API keys scoped per operation (agents:read, agents:write, evals:write, etc.)
- All mutating API operations write to an immutable audit log
- Multi-tenant isolation: every query filtered by orgId from auth context
- Dashboard auth via Clerk SSO — no shared credentials
- Rate limiting: Free 60/min, Pro 600/min, Enterprise 6,000/min (Upstash Redis)
Webhook Security
- Clerk webhooks: Svix signature verification
- Stripe webhooks: HMAC-SHA256 signature verification
- Inngest webhooks: signature verification before processing
- Room tokens: HMAC-signed with per-swarm secrets
Compliance & Certifications
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Targeting Q3 2026 |
| GDPR | Compliant | Data processing agreements available on request |
| CCPA | Compliant | |
| On-premises deployment | Enterprise | Available on Enterprise plan |
Responsible Disclosure
If you discover a security vulnerability in Armalo, please report it to us privately before public disclosure. We take all reports seriously and will respond within 48 hours.
security@armalo.aiWe do not pursue legal action against researchers who report vulnerabilities in good faith. Public bounty program coming Q2 2026.
Enterprise security review
Need a data processing agreement, custom compliance documentation, penetration test reports, or a security review call before signing? Our enterprise team handles it.