Security & Portability

Enterprise-grade security with zero vendor lock-in. Your code, your data, your infrastructure choices.

Security Model

Authentication & Access

—JWT with short-lived access tokens (15min) and rotatable refresh tokens
—RBAC with 5 system roles (Owner, Admin, Developer, Viewer, Billing) and 40+ granular permissions
—Organization-scoped sessions — switching orgs requires re-authentication
—Super Admin access on separate auth domain with elevated verification
—API keys for CI/CD with scoped permissions and automatic rotation policies

Tenant Isolation

—Each workspace runs in an isolated Kubernetes pod with cgroup limits
—Network policies prevent all cross-tenant pod communication
—PostgreSQL row-level security ensures data isolation at the query level
—Separate encryption keys per organization for at-rest data
—AI context is workspace-scoped — model cannot access other workspaces

AI Safety Controls

—Suggest-approve-execute pipeline: AI never modifies files without human approval
—Prompt injection defenses: input sanitization, output validation, context boundary enforcement
—Model output scanning for secrets, credentials, and sensitive data before displaying
—Complexity-routed model selection prevents unnecessary data exposure to frontier models
—Full audit trail of every AI request, response, and approval decision

Supply Chain Security

—Dependency scanning on every build with known vulnerability databases
—Container images rebuilt weekly from verified base images
—No arbitrary npm/cargo install in production workspaces without policy check
—Signed deployments with hash verification for all smart contract artifacts
—Pre-approved package registries with allowlist enforcement

Audit & Observability

—Every API call logged with actor, timestamp, IP, org context, and response status
—AI actions tracked: prompt, model, token usage, approval status, executor
—Deployment audit trail: who deployed, what changed, gas used, verification status
—Configuration changes tracked with before/after snapshots
—Forensic search tools for security investigations with timeline reconstruction

Infrastructure Security

—All data encrypted in transit (TLS 1.3) and at rest (AES-256)
—Secrets management via encrypted vault — never stored in environment variables
—DDoS protection at edge with rate limiting per org, per user, per endpoint
—Automatic security patching with rolling updates and zero-downtime deployments
—Incident response playbook with defined escalation paths and communication templates

Data Portability

We believe you should be able to leave any platform in under an hour. Every piece of data you create on KuberNodes can be exported in standard, non-proprietary formats.

Full Code Export

Download your entire workspace as a standard project — package.json, Cargo.toml, Anchor.toml, and all source files. Works with any local IDE.

CI/CD Pipeline Export

Generate GitHub Actions, GitLab CI, or standalone deployment scripts from your KuberNodes deployment configuration. No proprietary lock-in.

Infrastructure as Code

Export Terraform/Pulumi configurations for your RPC endpoints, validators, and monitoring stack. Reproduce your infrastructure anywhere.

Data Export

Export analytics, audit logs, deployment history, and team configurations. Standard formats (JSON, CSV). GDPR-compliant data portability.

Compliance

Active and planned certifications. Contact security@kubernodes.com for our security questionnaire or penetration test results.

SOC 2 Type II

In Progress

Annual audit covering security, availability, and confidentiality. Expected Q3 2025.

GDPR

Compliant

Data processing agreements, right to deletion, purpose limitation. EU data residency available.

ISO 27001

Planned

Information security management system certification. Roadmap for 2025.

Penetration Testing

Quarterly

Third-party penetration testing by certified security firms. Results available under NDA.

Responsible Disclosure

Found a security vulnerability? We take every report seriously. Contact us at security@kubernodes.com with details and we'll respond within 24 hours.