🔒 Security at CreonOS
Last Updated: February 4, 2026
Security is Our Priority. CreonOS handles sensitive code and proprietary projects. We implement enterprise-grade security measures to protect your data and maintain platform integrity.
✅ TLS 1.3 Encryption
✅ SOC 2 Hosting
✅ Bcrypt Passwords
✅ Rate Limiting
✅ CSRF Protection
✅ Regular Audits
1. Infrastructure Security
1.1 Hosting & Compliance
- Railway Infrastructure: SOC 2 Type II certified cloud platform
- Data Centers: Multi-region redundancy with automatic failover
- Network Security: DDoS protection, firewall rules, intrusion detection
- Compliance: GDPR, UK Data Protection Act 2018, ISO 27001 aligned
1.2 Encryption
- Data in Transit: TLS 1.3 with perfect forward secrecy
- Data at Rest: AES-256 encryption for database and file storage
- Passwords: Bcrypt hashing with salt (minimum 10 rounds)
- API Keys: Encrypted at rest, never logged in plain text
1.3 Database Security
- PostgreSQL: Managed by Railway with automated backups
- Access Control: Role-based permissions, principle of least privilege
- Backups: Daily automated backups retained for 30 days
- SQL Injection Prevention: Parameterized queries, ORM validation
2. Application Security
2.1 Authentication & Authorization
- JWT Tokens: Secure session management with expiration
- 2FA Support: Optional two-factor authentication (coming Q2 2026)
- Session Timeout: 30-day rolling expiration
- Password Requirements: Minimum 8 characters, complexity enforced
2.2 API Security
- Rate Limiting: 100 requests/minute per IP, 1000/hour per user
- API Key Rotation: Support for key refresh without downtime
- CORS Policy: Strict origin validation
- Input Validation: Pydantic models with type checking
2.3 WebSocket Security
- Authentication: Token-based WS connection validation
- Message Validation: JSON schema validation on all messages
- Connection Limits: Max 5 concurrent connections per user
- Heartbeat Monitoring: Detect and close stale connections
3. Code Execution Security
3.1 AI Agent Sandboxing
- Isolated Workspaces: Each user's code runs in separate environment
- Resource Limits: CPU, memory, and disk quotas enforced
- Network Isolation: Restricted outbound connections
- File System Restrictions: Agents cannot access system files
3.2 Code Validation
- Syntax Checking: Pre-execution validation to prevent crashes
- Dangerous Pattern Detection: Block known malicious patterns
- Import Restrictions: Whitelist of allowed libraries
- Timeout Enforcement: 60-second execution limit per agent run
4. Data Protection
4.1 User Data Isolation
- Multi-tenant architecture with strict data segregation
- Row-level security in database queries
- User A cannot access User B's projects, code, or data
- Admin access requires 2FA and is logged
4.2 AI Provider Data Handling
When sending code to AI providers (Claude, GPT-4, Gemini, DeepSeek):
- Opt-Out Training: We use API flags to prevent AI model training on your code
- Ephemeral Processing: Prompts are not retained by providers (per their policies)
- Zero Data Retention (ZDR): Anthropic Claude uses ZDR for enterprise customers
- Encrypted Transit: HTTPS for all API communications
4.3 Data Retention
- Active Projects: Stored indefinitely while account is active
- Deleted Projects: Soft-deleted for 30 days, then permanently purged
- Logs: Retained for 12 months for debugging and security audits
- Backups: 30-day retention, encrypted at rest
5. Monitoring & Incident Response
5.1 Security Monitoring
- 24/7 automated threat detection
- Failed login attempt tracking (lockout after 5 failures)
- Anomaly detection for unusual API usage
- Real-time alerts for critical security events
5.2 Incident Response Plan
In the event of a security incident:
- Detection: Automated alerts notify security team within minutes
- Containment: Isolate affected systems to prevent spread
- Investigation: Forensic analysis to determine scope and cause
- Remediation: Patch vulnerabilities and restore service
- Notification: Inform affected users within 72 hours (GDPR requirement)
- Post-Mortem: Document lessons learned and improve defenses
5.3 Breach Notification
If your data is compromised, we will:
- Email you within 72 hours of discovery
- Provide details on what data was affected
- Explain our response and mitigation steps
- Offer guidance to protect your account
- Report to ICO (UK) or relevant authorities as required
6. Vulnerability Disclosure Program
🐛 Found a Security Issue? We Want to Hear From You.
CreonOS welcomes responsible disclosure of security vulnerabilities. If you discover a security issue, please report it privately rather than publicly disclosing it.
How to Report
Email: security@creonai.co.uk
PGP Key: Available at /pgp-key.txt (for encrypted reports)
What to Include
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity
- Your name (if you want credit) or "Anonymous"
Our Commitment
- Acknowledgment: Within 24 hours of your report
- Updates: Progress reports every 72 hours
- Fix Timeline: Critical issues patched within 7 days
- Credit: Public acknowledgment in our Security Hall of Fame (if desired)
- No Legal Action: We will not pursue legal action against good-faith security researchers
Bug Bounty (Coming Soon)
We're planning a bug bounty program for 2026. High-severity vulnerabilities may be eligible for rewards up to $5,000.
7. Security Best Practices for Users
7.1 Protect Your Account
- Use a strong password: 12+ characters, mix of letters/numbers/symbols
- Enable 2FA: When available (Q2 2026)
- Don't share credentials: Each team member should have their own account
- Log out on shared devices: Always log out on public/shared computers
7.2 Secure Your Code
- Don't commit secrets: Use environment variables for API keys, passwords
- Review AI-generated code: Always inspect code before deploying to production
- Use private projects: For proprietary code (Pro plan feature)
- Backup regularly: Export your code weekly
7.3 Recognize Phishing
CreonOS will NEVER:
- Ask for your password via email
- Request payment outside of Stripe checkout
- Send suspicious links from non-@creonai.co.uk domains
- Ask you to "verify your account" urgently
If you receive a suspicious email claiming to be from CreonOS, forward it to security@creonai.co.uk.
8. Compliance & Certifications
8.1 Current Compliance
- GDPR: EU General Data Protection Regulation
- UK DPA 2018: UK Data Protection Act
- PCI-DSS: Stripe handles payment processing (Level 1 PCI certified)
8.2 In Progress (2026)
- SOC 2 Type II: Independent security audit (Q3 2026)
- ISO 27001: Information security management certification (Q4 2026)
- HIPAA: For healthcare clients (on enterprise plan roadmap)
9. Third-Party Security
9.1 Vetted Integrations
CreonOS only integrates with security-conscious providers:
- Anthropic (Claude): SOC 2 Type II, HIPAA compliant
- OpenAI (GPT-4): SOC 2 certified, data encryption at rest
- Google (Gemini): ISO 27001, GDPR compliant
- Stripe: PCI Level 1, highest security standard for payments
- Railway: SOC 2 Type II certified infrastructure
9.2 Regular Audits
We conduct quarterly reviews of third-party security practices and update integrations as needed.
10. Security Updates
10.1 Platform Updates
- Security patches applied within 48 hours of discovery
- Dependency updates monthly (or immediately for critical CVEs)
- Zero-downtime deployment for most updates
10.2 Transparency
Major security updates are announced via:
11. Contact Security Team
For security concerns, questions, or reports:
Email: security@creonai.co.uk
Support: support@creonai.co.uk
Emergency: security-emergency@creonai.co.uk (critical issues only)
PGP Key: https://creonai-backend-production-0dbc.up.railway.app/pgp-key.txt
Response Times:
- Critical vulnerabilities: < 4 hours
- High severity: < 24 hours
- Medium/Low severity: < 72 hours
- General inquiries: < 5 business days
Security Summary: CreonOS uses enterprise-grade security (TLS 1.3, AES-256, bcrypt, rate limiting, SOC 2 hosting). Your code is isolated, encrypted, and never used for AI training without consent. Found a vulnerability? Email security@creonai.co.uk.