Security & Compliance
Detektix is built with security at its foundation. As a platform that handles sensitive threat intelligence data, we implement defense-in-depth across every layer.
Security Architecture Overview
Data Isolation
Tenant Isolation
Every Detektix tenant operates in a completely isolated environment:
- Dedicated database — Your data is stored in an isolated database instance, never co-mingled with other organizations
- Separate application deployment — Each tenant runs its own application instance
- Independent configuration — Tenant-specific settings, integrations, and credentials
- Isolated external resources — Phone numbers, AI voice agents, and SMS lines are provisioned per tenant and filtered by tenant identifier
Unlike multi-tenant platforms that use shared databases with logical separation, Detektix provides physical isolation — your database is a separate instance. Even in the unlikely event of an application-layer vulnerability, cross-tenant data access is architecturally impossible.
Affiliation-Level Isolation
Within each tenant, affiliations provide an additional layer of data scoping:
- Users are assigned to specific affiliations and can only access data within those affiliations
- Row-level security policies enforce data boundaries at the database level
- Cross-affiliation access requires Tenant Admin privileges
- All queries are automatically filtered by affiliation scope
Data Isolation Matrix
| Data Type | Tenant Isolation | Affiliation Isolation |
|---|---|---|
| PhantomIDs | Separate database | Filtered by affiliation |
| Call/SMS/Email logs | Separate database | Filtered by PhantomID's affiliation |
| Threat actors | Separate database | Filtered by affiliation |
| Injection targets | Separate database | Filtered by affiliation |
| Users & roles | Separate database | Assigned per affiliation |
| Integration credentials | Separate database | N/A (tenant-level) |
| Phone numbers | Separate Twilio pool | Assigned per PhantomID |
Authentication
Single Sign-On (SSO)
Detektix supports enterprise SSO through:
- Google Workspace — OAuth 2.0 integration with Google identity
- Microsoft Azure AD — OAuth 2.0 integration with Microsoft identity
All authentication flows use industry-standard OAuth 2.0 with PKCE (Proof Key for Code Exchange), which prevents authorization code interception attacks.
Detektix does not store user passwords. Authentication is fully delegated to your identity provider (Google or Microsoft). This eliminates an entire class of credential-based attacks.
Session Management
- Sessions use secure, HTTP-only tokens with automatic refresh
- JWT (JSON Web Token) based session validation
- Sessions expire after configurable inactivity periods
- Token refresh happens transparently without user interruption
- Session state is not stored client-side in accessible storage
Authorization
Role-Based Access Control (RBAC)
Three permission levels control access across the platform:
| Role | Data Access | Write Access | System Config | User Management |
|---|---|---|---|---|
| Tenant Admin | All affiliations | Yes | Full | Yes |
| Admin | Assigned affiliations | Yes | Integrations only | Yes |
| Read Only | Assigned affiliations | No | No | No |
Database-Level Enforcement
Authorization is enforced at the database level using row-level security (RLS) policies — not just in the application layer. This provides defense-in-depth:
- Application layer — UI components and API routes check user roles
- Database layer — RLS policies filter data based on user identity and affiliation membership
- Service layer — Backend functions use service-level credentials with explicit scope checks
Even if the application layer were bypassed, the database itself prevents unauthorized data access. RLS policies are regularly audited and hardened.
Encryption
Data at Rest
All data stored in the platform is encrypted at rest using AES-256 encryption, including:
- PhantomID records and personal data
- Call recordings and transcripts
- Email content and attachments
- SMS message bodies
- Threat actor intelligence
- All metadata and logs
Data in Transit
All communications use TLS 1.3 encryption:
| Connection | Protocol | Description |
|---|---|---|
| Browser → Application | TLS 1.3 | All user traffic |
| Application → Database | TLS 1.3 | All database queries |
| Application → Twilio | TLS 1.3 | Call and SMS operations |
| Application → ElevenLabs | TLS 1.3 | AI voice agent calls |
| Application → IQSIM | TLS 1.3 | SMS gateway traffic |
| Webhook deliveries | TLS 1.3 | All outbound notifications |
| Webhook ingestion | TLS 1.3 | All inbound event data |
Credential Storage
Integration credentials (API keys, tokens, auth secrets) are stored with dedicated database-level encryption:
- Encrypted using
pgcryptowith AES encryption - Dedicated encrypt/decrypt functions accessible only to the service layer
- Credentials are never exposed to the client application or browser
- Never included in logs, error messages, or API responses
- Decrypted only at the moment of use, then discarded from memory
Audit Trail
Every user action in the platform is logged in a comprehensive, immutable audit trail:
| Field | Description |
|---|---|
| Action | The specific operation: create, update, delete |
| User | Who performed the action (user ID and email) |
| Timestamp | Precise time of the action |
| Entity type | What was affected: PhantomID, domain, user, injection target, etc. |
| Entity ID | The specific record that was modified |
| Page/Route | Where in the application the action was performed |
| Metadata | Additional context about the change |
Audit Log Properties
- Immutable — Once recorded, audit entries cannot be edited or deleted by any user, including Tenant Admins
- Comprehensive — Every create, update, and delete operation is captured
- Queryable — Filter by user, action type, entity type, or date range
- Retained — Logs are retained according to your organization's data retention policy
- Accessible — Tenant Admins can review the full audit trail in the Activity Logs section
API Security
Authentication & Authorization
- All API calls require authenticated sessions with valid JWT tokens
- Tokens are validated on every request — expired or invalid tokens are rejected immediately
- API endpoints enforce role-based access checks before processing
Service-Level Isolation
Backend operations use service-level credentials that are strictly separated from client credentials:
- Service credentials are stored as environment secrets, never in code or configuration files
- Client applications only receive anonymous-level tokens with limited scope
- All sensitive operations (credential decryption, cross-service calls, data sync) happen exclusively on the server side
- No service credentials are ever transmitted to the browser
Rate Limiting
- Injection operations support configurable rate limits (per hour and per day)
- Rate limits prevent overwhelming target platforms
- Configurable per injection target for operational flexibility
CORS & Headers
- Cross-Origin Resource Sharing (CORS) policies restrict API access to authorized origins
- Security headers are set on all responses
- Content Security Policy headers prevent XSS attacks
Webhook Security
Outbound Webhooks
Detektix webhook deliveries include security measures for your receiving systems:
- Verification token — Each delivery includes a token your system can validate
- HTTPS only — Webhooks are only delivered to HTTPS endpoints
- Retry with backoff — Failed deliveries retry automatically with exponential backoff
- Delivery logging — All webhook deliveries are logged for audit purposes
Inbound Webhooks
Inbound webhooks from external services (telephony, SMS) are validated using:
- Token-based authentication — Pre-shared tokens validated on every request
- HMAC signature validation — Payload integrity verification where supported
- Source validation — Request origin checks where applicable
Infrastructure
Hosting & Availability
| Component | Provider | Features |
|---|---|---|
| Application | Enterprise cloud hosting | Automatic scaling, global CDN |
| Database | Managed PostgreSQL | Automated backups, point-in-time recovery, high availability |
| Static assets | Global CDN | Edge caching, DDoS protection |
| DNS & SSL | Cloudflare | SSL termination, DDoS mitigation |
Backup & Recovery
- Automated daily backups of all database data
- Point-in-time recovery — restore to any second within the retention window
- Backup encryption — All backups are encrypted at rest
- Tested recovery — Backup restoration is tested regularly
Monitoring & Alerting
- Server health monitoring with automatic alerting
- Backend function execution logging and error tracking
- Performance monitoring and anomaly detection
- Uptime monitoring with incident response procedures
Network Security
DDoS Protection
- Application is served behind a global CDN with DDoS mitigation
- Rate limiting at the edge prevents abuse
- Automatic traffic analysis and malicious request filtering
Access Control
- Administrative access to infrastructure requires multi-factor authentication
- Infrastructure access is logged and audited
- Production database access is restricted to service-level credentials only
- No direct database access from the public internet
Compliance
For specific compliance certifications, audit reports, or security questionnaire responses, please contact your Detektix account representative.
Detektix is designed to support common enterprise compliance requirements:
| Requirement | How Detektix Supports It |
|---|---|
| Data residency | Database location configurable per tenant (EU, US, etc.) |
| Access controls | RBAC with three permission levels + full audit trail |
| Encryption | AES-256 at rest, TLS 1.3 in transit, encrypted credential storage |
| Data retention | Configurable retention policies per data type |
| Right to deletion | PhantomID archival with data cleanup capabilities |
| Audit logging | Immutable, comprehensive audit trail of all user actions |
| Incident response | Built-in incident management with severity levels and workflow |
| Vendor management | All external service integrations documented and encrypted |
Compliance Frameworks
Detektix's security controls are designed to align with:
- SOC 2 Type II — Security, availability, and confidentiality controls
- GDPR — Data protection and privacy controls for EU data
- ISO 27001 — Information security management system controls
Responsible Disclosure
If you discover a security vulnerability in the Detektix platform, please contact your account representative or email our security team directly. We take all reports seriously and will respond promptly.
Our commitment:
- Acknowledge your report within 24 hours
- Assess severity and impact within 48 hours
- Remediate confirmed vulnerabilities according to severity
- Communicate resolution and timeline throughout the process