Last updated June 2026

Security

Your network data is critical infrastructure. OmniTwin treats every byte of it with the same rigor you would expect from the systems it manages.

Infrastructure Security

OmniTwin is hosted on hardened cloud infrastructure with SOC 2 Type II certified providers. Our production environment runs in isolated Virtual Private Cloud (VPC) networks with no public internet exposure to backend services.

  • All production workloads run in isolated, single-tenant containers with strict resource boundaries.
  • Infrastructure is provisioned and managed exclusively through version-controlled Infrastructure as Code (IaC), ensuring every change is auditable and reproducible.
  • Automated configuration drift detection runs continuously across all production systems, with alerts triggering within 60 seconds of any unauthorized modification.
  • Host-level intrusion detection systems (HIDS) monitor all production nodes for suspicious activity, file integrity changes, and anomalous process behavior.

Data Encryption

All data is encrypted both in transit and at rest. We do not support unencrypted connections to any OmniTwin service.

  • In transit: All connections use TLS 1.3 with strong cipher suites. We enforce HSTS with a minimum max-age of one year, including subdomains. Certificate transparency logging is enabled for all domains.
  • At rest: All data stored in PostgreSQL and Neo4j databases is encrypted using AES-256. Encryption keys are managed through a dedicated Key Management Service (KMS) with automatic rotation on a 90-day cycle.
  • Backups: Database backups are encrypted with separate keys from production data and stored in geographically redundant locations with strict access controls.
  • Secrets management: API keys, database credentials, and service tokens are stored in a hardened vault with audit logging on every access. Secrets are never stored in source code, environment variables, or container images.

Access Control

OmniTwin enforces the principle of least privilege at every layer of the stack, from application-level RBAC to infrastructure access.

  • Authentication: All user accounts require strong passwords and support multi-factor authentication (MFA). SSO integration is available via SAML 2.0 and OIDC for enterprise customers.
  • Role-based access control: Granular RBAC allows organizations to assign specific permissions by role (viewer, operator, admin, owner) with full audit trails on all permission changes.
  • API authentication: All API access requires scoped tokens with configurable expiration. Token usage is logged and can be revoked instantly.
  • Infrastructure access: Production environment access is limited to authorized engineering staff through short-lived, just-in-time credentials. All production access is logged and reviewed weekly.

Network Security

Our network architecture follows a zero-trust model. No service implicitly trusts any other service, regardless of network location.

  • All inter-service communication uses mutual TLS (mTLS) with certificate-based authentication.
  • Network segmentation isolates production, staging, and development environments with no cross-environment connectivity.
  • Web Application Firewall (WAF) rules protect all public-facing endpoints against OWASP Top 10 threats, including SQL injection, XSS, and CSRF attacks.
  • DDoS protection is provided at the network edge with automatic traffic scrubbing and rate limiting.
  • All network traffic is logged and analyzed for anomalous patterns using automated threat detection.

Application Security

Security is built into every phase of our software development lifecycle, from design through deployment.

  • Secure SDLC: All code changes go through mandatory peer review with security-focused checklists. Automated static analysis (SAST) and dependency scanning run on every pull request.
  • Dependency management: We continuously monitor all third-party dependencies for known vulnerabilities using automated scanning tools. Critical vulnerabilities are patched within 24 hours of disclosure.
  • Container security: All container images are built from minimal base images, scanned for vulnerabilities before deployment, and run with read-only root filesystems and dropped capabilities.
  • Input validation: All user input is validated and sanitized at the application boundary. Our Rust-based math engine provides deterministic, memory-safe CIDR validation that eliminates entire classes of overflow and injection vulnerabilities.

Incident Response

We maintain a documented incident response plan that is tested and updated quarterly.

  • Detection: Automated monitoring and alerting covers all production services with sub-minute detection times for availability and security events.
  • Escalation: Security incidents are classified by severity (P0 through P3) with defined response times: P0 critical incidents receive immediate response with customer notification within 1 hour.
  • Communication: Affected customers are notified through multiple channels (email, in-app notification, status page) with regular updates until resolution.
  • Post-incident review: Every incident triggers a blameless post-mortem within 48 hours. Findings and remediation actions are tracked to completion and shared with customers when relevant.

Penetration Testing

OmniTwin conducts regular security assessments to identify and remediate vulnerabilities before they can be exploited.

  • Third-party penetration tests are conducted at least annually by qualified, independent security firms.
  • Automated vulnerability scanning runs continuously against all production services and infrastructure.
  • Results from all security assessments are tracked through remediation, with critical findings addressed within defined SLAs.
  • Summary reports from third-party assessments are available to enterprise customers under NDA upon request.

Employee Security

Our team follows strict security practices to protect customer data and infrastructure access.

  • All employees undergo background checks prior to employment and receive security awareness training during onboarding and annually thereafter.
  • Endpoint protection is mandatory on all company devices, including full-disk encryption, screen lock policies, and endpoint detection and response (EDR) software.
  • Access to customer data and production systems is granted on a need-to-know basis and reviewed quarterly.
  • All employees sign confidentiality agreements covering customer data, proprietary technology, and internal security practices.

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in OmniTwin, please report it to security@kortesalabs.com.

  • We will acknowledge receipt of your report within 24 hours.
  • We will provide an initial assessment and expected timeline within 72 hours.
  • We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.
  • We will not take legal action against researchers who follow responsible disclosure practices.