Security at System R AI

Hosted on AWS with ECS Fargate (serverless containers), eliminating the attack surface of managing host machines. All infrastructure is defined as code and deployed through audited CI/CD pipelines with no static credentials.

Services run in private VPC subnets with strict security group rules. Only the application load balancer is publicly accessible. Internal service-to-service communication is encrypted and access-controlled.

All deployments use OIDC federation (GitHub Actions to AWS) with short-lived, scoped credentials. No long-lived access keys exist anywhere in the pipeline. IAM roles follow least-privilege principles.

All connections use TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced. API endpoints only accept HTTPS traffic. Certificate management is automated through AWS Certificate Manager.

All data stores use AES-256 encryption at rest. Database backups are encrypted. Secrets and configuration values are stored in AWS Systems Manager Parameter Store with KMS encryption.

Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified provider. We never store, process, or transmit credit card numbers. All payment tokens are managed by Stripe's secure infrastructure.

Broker connections use OAuth 2.0 where available. API keys are encrypted at rest and never logged. Each user's credentials are isolated. No shared credential stores.

Passwords are hashed using bcrypt with per-user salts. Session tokens are short-lived and rotated. Multi-factor authentication is available for all accounts. Brute-force protection with progressive rate limiting.

Trust-level based access control gates features by account state (registered, verified, subscribed, connected, ready). API endpoints enforce authorization at the route level with domain-layer purity maintained.

All user input is validated and sanitized at system boundaries. API request schemas are strictly typed. SQL injection, XSS, and other OWASP Top 10 vulnerabilities are mitigated through parameterized queries, output encoding, and Content Security Policy headers.

API endpoints enforce rate limits to prevent abuse. Limits scale by subscription tier. Automated detection flags anomalous usage patterns for review.

All code changes go through automated testing (13,000+ tests) before deployment. The staging environment mirrors production. Production deployments require all tests to pass. No manual server access is needed or permitted.

Comprehensive logging via CloudWatch with anomaly detection. Application metrics track error rates, latency, and authentication failures. Alerts are configured for security-relevant events.

We maintain an incident response procedure that includes identification, containment, eradication, recovery, and post-incident review. Users affected by a security incident will be notified within 72 hours.