BLACKFYRE← Back to home

Trust & Transparency

Security Practices

We are a security company. We hold ourselves to the same standard we hold our clients. This page documents how we secure our platform, your data, and our own operations.

Infrastructure Security

Cloud Provider

AWS ap-south-1 (Mumbai). All infrastructure provisioned via IaC with no manual console changes in production.

Encryption at Rest

AES-256 encryption for all stored data including database volumes, S3 buckets, and backups.

Encryption in Transit

TLS 1.3 enforced for all endpoints. TLS 1.0 and 1.1 disabled. HSTS with 1-year max-age.

Network Isolation

Platform services run in private VPC subnets with no direct internet exposure. API gateway and WAF in front of all public endpoints.

Secrets Management

AWS Secrets Manager for all credentials and API keys. No secrets in environment variables or source code.

Immutable Infrastructure

Containerised workloads deployed via CI/CD. Containers are immutable — no SSH access to production instances.

Data Isolation

Every customer is a separate tenant. Row-Level Security (RLS) is enforced at the database layer — not just the application layer. A query executed in Tenant A's context is structurally incapable of returning data belonging to Tenant B.

S3 evidence buckets are segregated per tenant with distinct IAM roles and bucket policies. Cross-tenant access is impossible by design.

Isolation controls summary:

  • Database: PostgreSQL RLS with tenant_id predicate on every row
  • Storage: Per-tenant S3 bucket prefixes with distinct presigned URL scopes
  • API: JWT claims carry tenant_id, validated on every request
  • Audit: Cross-tenant access attempts logged and alerted in real time

Evidence Integrity

SHA-256 Hashing

Every uploaded artefact and generated report is hashed on write. The hash is stored separately and verified on every read. Any tampering is detected immediately.

S3 WORM (Write Once, Read Many)

Compliance evidence is stored with S3 Object Lock in COMPLIANCE mode. Once written, no user — including Blackfyre administrators — can delete or overwrite evidence artefacts within the retention window. This ensures chain-of-custody integrity for audit purposes.

Audit Trail

Every create, update, and delete operation is recorded in an append-only audit log with actor identity, timestamp, IP address, and changed values. Audit logs cannot be modified by any user role.

Access Control

Role-Based Access Control (RBAC)

Granular roles — Owner, Admin, Analyst, Viewer — with least-privilege defaults. Custom roles available on Defend tier.

Multi-Factor Authentication

MFA is mandatory for all platform accounts. TOTP and hardware security keys (FIDO2/WebAuthn) supported.

Internal Access

Blackfyre staff access to production is gated by MFA, break-glass procedures, and generates a permanent audit record. No standing access.

API Security

All API calls require a signed JWT with short expiry. Refresh tokens are rotated on use and revocable instantly.

Vulnerability Management

Regular Penetration Testing

The BLACKFYRE platform undergoes independent penetration testing at least annually, conducted by a third-party firm unaffiliated with Blackfyre. Critical and High findings are remediated before the report is closed. Reports are available to enterprise customers under NDA on request.

Dependency Scanning

All software dependencies are scanned for known CVEs on every CI build using automated SAST/SCA tools. Critical vulnerabilities block deployment.

Patch Management

Operating system and runtime patches are applied within 7 days for Critical severity, 30 days for High severity, following vendor disclosure.

Compliance Frameworks

We are actively working toward the following certifications. Our controls are built to meet these standards today, with formal audit processes in progress.

SOC 2 Type IIIn Progress

Trust Service Criteria covering Security, Availability, and Confidentiality. Target completion: Q4 2026.

ISO 27001:2022In Progress

Information Security Management System certification. Gap assessment completed. Formal audit scheduled.

Incident Response

We operate 24/7 automated monitoring across infrastructure, application, and security layers using AWS CloudWatch, GuardDuty, and custom alerting rules.

24/7

Monitoring

1 hour

P1 Response SLA

72 hours

Breach notification

In the event of a confirmed personal data breach, we will notify affected customers and relevant regulators within 72 hours of confirmation, consistent with GDPR and DPDPA requirements.

Report a Vulnerability

We take security reports seriously and will investigate every submission. If you have discovered a potential vulnerability in the BLACKFYRE platform or our infrastructure, please contact us through our responsible disclosure channel.

security@blackfyre.tech

We ask for 90 days to investigate and remediate before any public disclosure. We do not pursue legal action against researchers acting in good faith.