Security Overview
Last Updated: October 16, 2025
Saturn is built with security-first architecture for DevOps and engineering teams monitoring business-critical scheduled jobs.
Note: The complete Security Overview is in website/docs/legal/security.md.
Infrastructure
| Component | Provider | Security |
|---|---|---|
| Web hosting | Vercel | SOC 2 Type II, ISO 27001 |
| Workers | Fly.io | SOC 2 Type II |
| Database | Neon (Postgres) | SOC 2 Type II, GDPR-compliant |
| Caching | Upstash (Redis) | SOC 2 Type II |
| Storage | MinIO (S3-compatible) | Encryption at rest |
| Payments | Stripe | PCI DSS Level 1 |
Data Protection
- Encryption in transit: TLS 1.2+ (TLS 1.3 preferred)
- Encryption at rest: AES-256 (provider-managed keys)
- Token hashing: SHA-256 (irreversible)
- Row-level security: Automatic filtering by organization ID
- OAuth tokens: AES-256-GCM encryption
Application Security
- Input validation: Zod schemas for all API inputs
- SQL injection: Prisma ORM with parameterized queries
- XSS prevention: React automatic escaping
- CSRF protection: NextAuth v5 double-submit cookies
- Rate limiting: Redis-backed sliding window (60-120 req/min)
- Secure headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
Output Redaction
Automatic pattern-based redaction for:
- Passwords (e.g.,
password=secretโpassword=***REDACTED***) - API keys (e.g.,
api_key: abc123โapi_key: ***REDACTED***) - Bearer tokens (JWT patterns)
- AWS credentials (
AKIA*,AWS_SECRET_ACCESS_KEY) - Private keys (
-----BEGIN PRIVATE KEY-----) - Credit cards (last 4 digits preserved)
Vulnerability Disclosure
Report security vulnerabilities to: security@saturn.io
Response timeline:
- Initial response within 24 hours
- Triage within 72 hours
- Critical vulnerabilities patched within 7 days
- Coordinated disclosure 30 days after fix
Compliance
- โ GDPR: DPA available, SCCs for international transfers
- โ CCPA: Data disclosure transparency, no data sales
- ๐ SOC 2 Type I: Planned
- ๐ SOC 2 Type II: Planned
For the complete Security Overview with detailed architecture and measures, see website/docs/legal/security.md.