Key security principles
No permanent credentials
CauseFlow never stores permanent credentials for your infrastructure. Every agent session uses temporary STS credentials with 15-minute expiry.
Minimum permissions per agent
Each AI agent receives only the permissions it needs for its specific task. A log analyst cannot describe EC2 instances. An infrastructure inspector cannot read CloudWatch metrics.
Human approval before action
No remediation executes automatically. Every proposed action — restart a service, rollback a deployment, merge a PR — requires explicit human approval.
Tamper-proof audit trail
Every action in CauseFlow is recorded in an immutable audit log with cryptographic hash chaining. The trail cannot be modified or deleted without detection.
Eight security layers
1. Authentication
All API requests require a valid JWT Bearer token. CauseFlow verifies the token signature, claims (issuer, audience, expiry), and tenant binding on every request. Webhook ingestion uses API keys authenticated via HMAC-SHA256. Authentication details →2. Authorization (RBAC)
Four roles — admin, owner, operator, viewer — control what each user can do within a tenant. Every request is scoped to the tenant identified in the JWT. Data from one tenant is physically inaccessible to another. RBAC details →3. Temporary infrastructure credentials
When an investigation starts, CauseFlow uses AWS STS AssumeRole to generate temporary credentials for each AI agent. Credentials expire after 15 minutes and are scoped to the minimum permissions required by that agent’s role. Credentials are revoked immediately when the investigation completes. Data privacy details →4. Encryption at rest and in transit
All data is encrypted in transit with TLS. OAuth tokens and sensitive credentials are protected with KMS envelope encryption (AES-256-GCM). The data encryption key (DEK) is encrypted with your tenant’s customer master key (CMK) — even a full database compromise yields no usable credentials.5. Immutable audit trail
CauseFlow tracks 67 action types across 8 categories (tenant, incident, investigation, remediation, credential, auth, GitHub, notification). Every audit record is chained with SHA-256 — modifying any past record breaks the chain and is immediately detectable. Compliance details →6. Rate limiting
Per-tenant, per-plan rate limiting is enforced at the API gateway. The implementation uses Redis with an in-memory fallback. Rate limiting fails closed — if the limiter is unavailable, requests are denied rather than allowed through.7. Input validation
All input is validated with Zod schemas at every boundary: HTTP requests, LLM outputs, and SQS messages. Malformed or unexpected input is rejected before it reaches any processing logic.8. CORS
Cross-Origin Resource Sharing is restricted to explicitly allowed origins. Wildcard origins (*) are never used.
Data encrypted in transit and at rest
| Data type | Protection |
|---|---|
| API traffic | TLS 1.2+ |
| OAuth tokens | KMS envelope encryption (AES-256-GCM) |
| Credentials at rest | Encrypted with tenant CMK |
| Database connections | TLS (Relay enforced) |
Further reading
Authentication
JWT tokens, API keys, webhook HMAC, and public endpoints.
RBAC
Four roles, permission matrix, and tenant isolation.
Data privacy
Temporary credentials, per-agent permissions, PII masking, and data isolation.
Compliance
Audit trail, SOC 2 readiness, GDPR/LGPD, and responsible disclosure.