Security Overview
Munera is built with security as a first-class concern, not an afterthought. This page summarises the security controls across the platform.
Security principles
Defence in depth
Multiple layers of controls — network, application, and data — so a failure in one layer doesn't compromise the whole system.
Least privilege
RBAC with 19 granular permissions. Every user and API key has only the access it needs.
Encryption everywhere
TLS 1.2+ in transit, AES-256 at rest for sensitive fields, Argon2 for passwords. No plaintext secrets.
Immutable audit trail
Every significant action is logged with a SHA-256 content hash for tamper detection. 55+ event types, 365-day retention.
Compliance features
| Feature | Details |
|---|---|
| Audit log export | CSV/JSON download of all 55+ event types with filters. Meets SOC 2, HIPAA, GDPR audit requirements. |
| Tamper detection | Each log entry includes a SHA-256 hash of the event payload. Modification of log entries is detectable. |
| SSO enforcement | Disable password login and require all members to authenticate via your identity provider. |
| 2FA enforcement | Require all organisation members to enable TOTP 2FA. |
| Session management | View and revoke active sessions for any user (Admin only). |
| Data retention | Configurable log retention policies with compliance holds (Enterprise). |
| Right to be forgotten | User data deletion on request. Contact privacy@munera.cloud. |
| Multi-tenancy isolation | All data is scoped by organisation_id at the query level. Cross-tenant data leaks are architecturally impossible. |
Security hardening (self-hosted)
For self-hosted deployments, we recommend:
- Enable unattended security upgrades on the host OS
- Configure UFW to allow only ports 22, 80, and 443
- Run Docker in rootless mode
- Protect
.env.productionwithchmod 600 - Rotate
SECRET_KEYandENCRYPTION_KEYevery 90 days - Scan Docker images regularly with Trivy
- Add Nginx rate limiting to protect the API from abuse
Reporting a vulnerability
🔒
Responsible disclosure
Please report security vulnerabilities to security@munera.cloud — never in public GitHub issues. We follow a 90-day responsible disclosure policy and respond to all reports within 2 business days.