Security

1. Security Overview

Telbase is built on a security-first architecture that protects your applications at every layer:

Key Security Features

• All traffic encrypted with TLS 1.2+
• Secrets encrypted with AES-256-GCM
• SSO authentication via Google, Microsoft, and GitHub
• Domain-based access controls for deployed applications
• Automated security updates for infrastructure
• 24/7 monitoring and incident response

2. Infrastructure Security

Telbase runs on enterprise-grade infrastructure providers with robust security certifications and practices:

2.1 Hosting Infrastructure

Applications are hosted across multiple enterprise-grade providers based on framework requirements:

• Vercel: Serverless edge deployments for web frameworks (Next.js, Vite, Astro, etc.)
• Google Cloud Platform: Cloud Run container hosting for Docker, Django, Go, and other runtimes

All hosting providers offer:

• SOC 2 Type II certified infrastructure
• Multi-region redundancy
• DDoS protection
• Automatic security patching

2.2 Edge Network (Cloudflare)

All traffic is routed through Cloudflare, providing:

• Global CDN with 300+ data centers
• Enterprise-grade DDoS protection
• Web Application Firewall (WAF)
• Automatic SSL/TLS certificate management
• Bot management and protection
• Rate limiting and abuse protection

2.3 Database Infrastructure

Database services are provided by specialized managed providers:

• Neon: Serverless PostgreSQL with autoscaling and branching
• Cloud SQL: Google Cloud managed PostgreSQL (explicit opt-in)
• Turso: Distributed SQLite (libSQL) for edge-optimized workloads

All database providers encrypt data at rest and in transit.

2.4 Network Security

• Encrypted connections: All database connections require TLS/SSL
• Firewall rules: Strict ingress/egress controls on compute infrastructure
• No stored credentials: Database connection strings are fetched on-demand from providers, never stored in Telbase's metadata database
• TLS everywhere: All traffic between clients, APIs, and services is encrypted

2.5 Physical Security

Our infrastructure providers maintain SOC 2 compliant physical security including:

• 24/7 security personnel and surveillance
• Biometric access controls
• Environmental controls (fire suppression, climate control)
• Redundant power and network connectivity

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between your applications, browsers, CLI, and our infrastructure is encrypted:

• Protocol: TLS 1.2 or TLS 1.3
• Certificates: Automatically managed via Cloudflare
• HTTPS only: HTTP requests are redirected to HTTPS
• HSTS enabled: Browsers must use HTTPS

3.2 Encryption at Rest

All stored data is encrypted:

3.3 Secret Management

Environment variables and secrets receive additional protection:

• Encrypted with AES-256-GCM before storage
• Encryption keys rotated regularly
• Never logged or exposed in build output
• Injected at runtime, not baked into images
• Masked in dashboard and API responses

4. Authentication Security

4.1 Platform Authentication

Telbase uses OAuth 2.0 / OpenID Connect for authentication through trusted identity providers:

• Google: Google Workspace and personal accounts
• Microsoft: Microsoft 365 and Entra ID
• GitHub: GitHub accounts

We do not store passwords. Authentication is delegated entirely to these identity providers, which implement their own security measures including multi-factor authentication.

4.2 Session Security

• Sessions are encrypted and stored securely
• Session tokens are rotated on sensitive actions
• Inactive sessions expire after 30 days
• Users can revoke all sessions from the dashboard

4.3 CLI Authentication

The Telbase CLI uses device authorization flow:

• No API keys stored locally in plain text
• Tokens are short-lived and automatically refreshed
• Authentication can be revoked from the dashboard

4.4 Deployed Application Authentication

Authentication for your deployed applications is handled by Cloudflare Access:

• SSO via Google, Microsoft, or GitHub
• Domain-based access restrictions (only @yourcompany.com)
• Email allowlist for external users
• Session management and revocation
• Access logs for audit purposes

5. Access Control

5.1 Principle of Least Privilege

Access to systems and data is granted on a need-to-know basis:

• Team members only access projects they're invited to
• Infrastructure access is limited to operations team
• Database access requires explicit authorization
• All access is logged and auditable

5.2 Role-Based Access

Telbase implements role-based access control for team accounts:

5.3 GitHub Integration Access

When you connect GitHub, we request minimal permissions:

• Read repository contents: To build your application
• Write commit status: To report build/deploy status
• Read webhooks: To receive push notifications
• No write access to code: We never modify your repository

6. Application Security

6.1 Secure Development Practices

• Code review required for all changes
• Automated security scanning in CI/CD
• Dependency vulnerability scanning
• Static analysis for common vulnerabilities
• Regular security training for developers

6.2 Build Security

When we build your applications:

• Builds run in isolated containers
• No network access during build (except for package installation)
• Build environments are ephemeral and destroyed after use
• Environment variables are available during build when needed (e.g., database migrations)

6.3 Runtime Security

• Applications run in isolated containers
• Resource limits prevent runaway processes
• Automatic restarts for crashed applications
• Health checks monitor application availability

6.4 Dependency Security

We monitor our dependencies for vulnerabilities:

• Automated alerts for known CVEs
• Regular dependency updates
• Critical patches applied within 24 hours

7. Monitoring and Logging

7.1 Infrastructure Monitoring

• 24/7 automated monitoring of all systems
• Real-time alerting for anomalies
• Performance metrics and dashboards
• Uptime monitoring with 60-second intervals

7.2 Security Logging

We maintain comprehensive logs for security analysis:

• Authentication events (login, logout, failures)
• API access logs
• Administrative actions
• Configuration changes
• Access control changes

Security logs are retained for 90 days and are protected from tampering.

7.3 Anomaly Detection

• Unusual login patterns trigger alerts
• Brute force attempts are automatically blocked
• Suspicious API activity is flagged for review

8. Incident Response

8.1 Response Process

We have a documented incident response process that includes:

1. Detection: Automated monitoring and user reports
2. Triage: Severity assessment and team notification
3. Containment: Immediate steps to limit impact
4. Eradication: Remove the threat and patch vulnerabilities
5. Recovery: Restore normal operations
6. Post-mortem: Analysis and prevention measures

8.2 Severity Levels

8.3 Customer Notification

In the event of a security incident affecting your data:

• You will be notified within 72 hours of confirmed breach
• We will provide details of what was affected
• We will share remediation steps you should take
• Updates will be provided via email and status page

9. Vulnerability Disclosure

9.1 Reporting Security Issues

We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us:

9.2 Our Commitment

• We will acknowledge receipt within 24 hours
• We will investigate and provide updates on our progress
• We will not take legal action against good-faith researchers
• We will credit researchers who report valid vulnerabilities (if desired)

9.3 Scope

In-scope for security research:

• telbase.ai and *.telbase.ai
• Telbase CLI
• Telbase APIs

Out of scope:

• Customer deployed applications (report directly to them)
• Social engineering attacks
• Denial of service attacks
• Physical attacks

10. Compliance

10.1 Current Status

Telbase leverages infrastructure providers with the following certifications:

• Vercel: SOC 2 Type II, ISO 27001
• Google Cloud Platform: SOC 2 Type II, ISO 27001, HIPAA eligible, FedRAMP
• Render: SOC 2 Type II (control plane hosting)
• Neon: SOC 2 Type II
• Cloudflare: SOC 2, ISO 27001, PCI DSS
• AWS (via providers): SOC 2, ISO 27001, HIPAA eligible

10.2 What We Don't Support (Yet)

Telbase does not currently hold the following enterprise compliance certifications:

• SOC 2 Type II (Telbase-specific)
• HIPAA (healthcare data)
• PCI DSS (payment card data)
• FedRAMP (US government)

10.3 Data Protection

We comply with applicable data protection regulations including:

• GDPR: EU data protection regulation
• CCPA: California Consumer Privacy Act

See our Privacy Policy for details on data handling.

11. Security Contact