Security

Last updated: March 2026

Tempered takes the security of your data seriously. This page describes our security practices and how to report vulnerabilities.

Infrastructure Security

Encryption in transit: All connections use TLS 1.2 or higher
Encryption at rest: Data is encrypted using AES-256
Network isolation: Services run in isolated container networks with firewall rules restricting access
Host hardening: Infrastructure hosts are hardened following CIS benchmarks with continuous compliance monitoring
Intrusion detection: Wazuh SIEM for file integrity monitoring, vulnerability detection, and security configuration assessment
Network monitoring: Zeek for network traffic analysis

Tenant isolation: Each organisation's data is logically isolated using contextvar-based scoping with per-query enforcement. Cross-tenant access is not possible through the application layer
API key security: API keys are hashed with SHA-256 before storage. The raw key is shown once at creation and cannot be recovered
Authentication: SSO via OpenID Connect. No passwords stored by Tempered
Secret management: All credentials are stored in HashiCorp Vault with GCP KMS auto-unseal and automated rotation
Input validation: All API inputs are validated through Django REST Framework serializers
CSRF protection: All form submissions are protected against cross-site request forgery

Continuous monitoring: Prometheus metrics, Grafana dashboards, and Alertmanager for real-time alerting
Centralised logging: All application and infrastructure logs are collected and searchable
Audit trail: All evaluation requests, API key operations, and administrative actions are logged with timestamps and actor identity

Tempered is pursuing the following standards:

If you discover a security vulnerability in Tempered, please report it responsibly to [email protected].

We commit to:

For details on how we process and protect your data, see our Data Processing Agreement and Privacy Policy.