Security at Oystercatcher

We take the security of your data seriously. Here's how we protect it.

Encryption

All data is encrypted at rest using AES-256 and in transit using TLS 1.3.

Access Controls

Role-based access control, multi-factor authentication, and session management.

Infrastructure

Hosted on AWS with VPC isolation, regular patching, and redundant systems.

Monitoring

24/7 security monitoring, intrusion detection, and automated alerting.

Personnel

Background checks, security training, and least-privilege access for all employees.

Compliance

SOC 2 Type II certification in progress. HIPAA-ready infrastructure.

Data Protection

Encryption

  • At Rest: All data is encrypted using AES-256 encryption
  • In Transit: All connections use TLS 1.3 with modern cipher suites
  • Key Management: Encryption keys are managed using AWS KMS with automatic rotation

Data Isolation

Each customer's data is logically isolated using organization-level access controls. Database queries are scoped to prevent cross-tenant data access.

Application Security

Authentication

  • Secure password storage using bcrypt hashing
  • Multi-factor authentication (MFA) available
  • Session management with secure token handling
  • Account lockout after failed login attempts

Authorization

  • Role-based access control (RBAC)
  • Granular permissions for team members
  • Audit logging of all access and changes

Secure Development

  • Code reviews required for all changes
  • Automated security scanning in CI/CD pipeline
  • Regular dependency updates and vulnerability patching
  • OWASP Top 10 protection measures

Infrastructure Security

Cloud Infrastructure

  • Hosted on Amazon Web Services (AWS)
  • VPC network isolation
  • Security groups and network ACLs
  • Private subnets for databases and internal services

Availability

  • Multi-availability zone deployment
  • Automated failover and recovery
  • Regular backups with point-in-time recovery
  • 99.9% uptime SLA

Operational Security

Monitoring

  • 24/7 infrastructure monitoring
  • Real-time alerting for security events
  • Centralized logging and analysis
  • Performance monitoring and anomaly detection

Incident Response

  • Documented incident response procedures
  • Incident classification and escalation paths
  • Post-incident reviews and remediation
  • Customer notification within 72 hours for data breaches

Compliance

Current Status

  • SOC 2 Type II: Certification in progress
  • GDPR: Compliant with Data Processing Agreement available
  • CCPA: Compliant with privacy controls
  • HIPAA: HIPAA-ready infrastructure; BAA available for enterprise customers

Responsible Disclosure

If you discover a security vulnerability, please report it to security@oystercatcher.ai. We appreciate responsible disclosure and will work with you to address any issues promptly.

Questions?

For security-related questions or to request additional documentation, contact us at security@oystercatcher.ai.