1. Application Security

Input Validation:

• All APIs implement strict input validation to prevent common injection attacks such as SQL injection and XSS.

Authentication and Authorization:

• The platform uses secure authentication mechanisms (OAuth 2.0, JWT tokens) with role-based access control (RBAC) to ensure that only authorized users can access specific workflows and data that belong to them.

Password Security:

• User passwords and credentials are hashed using industry-standard algorithms (e.g., bcrypt & crypto JS) and never stored in plaintext when being saved to the database.

2. Data Security

2. Data Security

3. Container Security

Image Scanning:

• Docker images can be scanned for known vulnerabilities using tools like Aqua Security or Clair. Only approved and scanned images are deployed to production environments.

Runtime Security:

• Containers are run with restricted permissions (using Docker's --user flag) to minimize the attack surface.

Secrets Management:

• Sensitive data such as API keys or database credentials are managed securely through environment variables using Docker Secrets or Kubernetes Secrets and are never hardcoded into the application.

4. Infrastructure Security

Data Protection Compliance (GDPR)

Centiloquy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We store only minimal cookies in the client to enable things like persistent sign in. Any data collected can be accessed, managed or deleted by the user. There are Admin APIs to delete accounts and all data associated with each account on demand when requested by the user.


Centiloquy implements measures to protect data from unauthorized access, including encryption and regular security audits.