Trust Center / Security Overview

Security Overview

A practical walkthrough of how Saga PM is built and operated. We've tried to write this for procurement and security teams who want concrete answers, not marketing language.

Last updated: May 7, 2026

Encryption

In transit

All connections to the Saga PM application are TLS 1.2 or higher. TLS is terminated at our nginx ingress, with certificates managed by cert-manager and issued by Let's Encrypt with automatic rotation. Internal database connections use sslmode=require; the connection refuses to open without TLS.

At rest (database)

The production database is DigitalOcean Managed PostgreSQL, which encrypts data at rest at the storage layer. Encrypted backups are retained for 30 days with point-in-time recovery.

At rest (object storage)

File attachments are stored in DigitalOcean Spaces, which provides server-side encryption by default. As part of our SOC 2 readiness work, we are explicitly enforcing and documenting bucket-level encryption settings via Terraform. Reads are routed through a tenant-scoped proxy at /api/attachments/<id>/content that re-signs a fresh short-lived URL on each request and applies an authorization check — preventing stale or shared links from leaking content.

Tenant secrets

Sensitive per-tenant configuration (OIDC client secrets, integration credentials) is envelope-encrypted with AES-256-GCM, with per-tenant keys derived from a master key via HKDF-SHA256. The master key lives in a Kubernetes Secret in the production cluster — never in source code, configuration, or the database. Decryption only happens server-side at the moment a secret is needed; it is never returned to the client.

Authentication

Authentication is handled by Ory Kratos, a self-hosted, open-source identity provider. We support:

  • Password + TOTP — passwords are stored as bcrypt hashes (Kratos default).
  • WebAuthn / passkeys — phishing-resistant authentication, available to every user.
  • OIDC SSO — per-tenant OIDC integration with any OIDC-compliant identity provider (Okta, Microsoft Entra ID, Google Workspace, etc.).

Multi-factor authentication can be required at the workspace level. Enforcement happens server-side on every request — disabling MFA in the UI doesn't bypass the requirement.

Sessions are cookie-based with HttpOnly and SameSite=Lax attributes; cross-site cookies are blocked by default. Session data is stored in PostgreSQL and revocable.

Authorization

Saga PM uses role and team-based access control, evaluated at the GraphQL resolver layer — not the client. The roles are:

  • Owner — full workspace control, including billing.
  • Admin — workspace configuration and member management.
  • Member — content access scoped by team membership.

On top of roles, every entity (Goal, Project, Record, Idea) can be scoped to a team. Restricted teams are visible only to their members; limited teams are visible to all but editable only by members.

A schema-walking lint test in our CI pipeline fails the build if any GraphQL mutation is missing a permission check. The boundary is enforced by the build, not just by code review.

Public API tokens

API tokens are issued per workspace and scoped to read, write, or settings. Sensitive operations (billing, workspace creation, OIDC configuration) are restricted to browser-authenticated sessions and cannot be invoked with API tokens.

Tenant isolation

Saga PM uses a schema-per-tenant isolation model. Each workspace's data lives in its own PostgreSQL schema (tenant_<slug>), with the public schema reserved for shared metadata (users, tenants, audit logs).

Every authenticated request is processed by a tenant middleware that:

  • Resolves the workspace from the request path.
  • Checks out a database connection from a per-request pool.
  • Sets search_path = tenant_<slug>, public on that connection before any query runs.
  • Returns the connection to the pool only after the request completes.

There is no cross-tenant SQL anywhere in the codebase. The database itself enforces the tenant boundary — even a buggy query cannot read another workspace's data.

Audit logs

Three classes of audit data are captured:

  • Tenant settings audit — every workspace configuration change (members added/removed, roles changed, integrations connected, billing actions) records the actor, action, and before/after state.
  • Admin audit log — internal Saga PM administrative actions (e.g., support-driven changes) are logged with full attribution.
  • Sensitive operation logs — tenant secret reads and writes, OIDC authorize/callback events, and authentication failures are emitted as structured WARN-level logs with actor, tenant, and key metadata.

Audit data is queryable per-tenant from the workspace settings page. Customers on enterprise plans can request an export of their full audit history.

Operations & SDLC

Code change

  • Every change goes through a GitHub Pull Request with at least one approval before merge.
  • CI gates: build, unit tests, integration tests, dependency vulnerability scanning (govulncheck), frontend type check, migration safety lint.
  • Production deploys are deliberate: a separate command (helm upgrade), not auto-merged from main. A bad commit cannot land in production by accident.

Vulnerability management

  • govulncheck runs in CI on every backend change and gates the build on critical and high-severity findings.
  • Critical and high-severity vulnerabilities are triaged on disclosure and patched on an expedited schedule appropriate to severity.
  • As part of our SOC 2 readiness work, we are rolling out frontend dependency vulnerability scanning, automated dependency updates (Dependabot), and additional static analysis (CodeQL/Semgrep). First independent third-party penetration test is scheduled in the SOC 2 prep window; reports will be available under NDA on request once available.

Monitoring

  • Metrics — Prometheus, with alerts on authentication failures, rate-limit anomalies, error rates, latency, and database pool exhaustion.
  • Logs — centralized via Loki, structured per-request with tenant and actor context.
  • Traces — OpenTelemetry distributed tracing via Tempo; request IDs cross-link logs, metrics, and traces.

Infrastructure

Saga PM is hosted on DigitalOcean in the NYC3 region (United States East). The production stack:

  • DigitalOcean Kubernetes (DOKS) — application workloads.
  • DigitalOcean Managed PostgreSQL — primary database, 30-day backup retention, point-in-time recovery.
  • DigitalOcean Spaces — file attachment storage.
  • DigitalOcean Load Balancer + nginx ingress — TLS termination at the cluster edge.

All workloads run in a private VPC. The application database is not reachable from the public internet. Production secrets are managed via SOPS with age-encrypted Helm values; plaintext secrets are unsealed only at deploy time and never written to disk.

Incident response

Our incident response process covers detection, triage, communication, mitigation, and post-incident review. The runbook is being formalized as part of our SOC 2 readiness work. Our customer commitments are:

  • Personal Data Breach notification — within 72 hours of confirmation, per GDPR and our DPA.
  • Material service incidents — communicated to affected workspaces by email; a public status page is in scope for SOC 2 readiness.
  • Post-mortems — written for material incidents and shared with affected customers on request.

Vulnerability disclosure: [email protected]. We acknowledge within 2 business days.

Data handling

Retention

Workspace content is retained for the lifetime of the workspace. When a workspace is deleted, the entire tenant schema is dropped and tenant secrets are zeroed within 30 days. Encrypted backups expire on the standard 30-day rolling window.

Data export

Workspace data is fully accessible via our GraphQL API. Self-serve CSV export is on the near roadmap; for enterprise customers, we provide a structured JSON dump on request.

Data deletion

Owners can delete a workspace from the workspace settings page. Deletion is soft for 7 days (recoverable on request) before becoming permanent.

What we don't do

  • We do not sell customer data.
  • We do not use customer content to train machine learning models.
  • We do not share customer data with advertising networks.

Security questionnaires

Common security questionnaires (CAIQ, SIG, custom enterprise templates) are pre-answered and available under NDA. Email [email protected] with your questionnaire, and we'll return it promptly.