Skip to main content

Security Guide

A24Z is built with security and compliance at its core. This guide covers our security model, best practices, and how to ensure your organization’s data remains protected.

Security Overview

Architecture Security

Multi-Tenant Isolation:
  • Each organization’s data is completely isolated
  • Role-based access control (RBAC)
  • No cross-organization data access
  • Secure by default configuration
Data Encryption:
  • ✅ All data encrypted in transit (TLS 1.3)
  • ✅ All data encrypted at rest
  • ✅ End-to-end encryption for API communications
  • ✅ Encrypted database backups
Infrastructure Security:
  • Regular security patches and updates
  • Infrastructure as Code (IaC) for consistency
  • Automated security scanning
  • DDoS protection

Access Control

Organization Roles

A24Z implements a hierarchical role-based access control system:
RoleAccess LevelPermissions
AdminFull organization accessUser management, billing, all data, API keys
CTO/VPOrganization-wide dataAll team and user data, metrics, reports
ManagerTeam data onlyTeam members’ data and metrics
UserPersonal data onlyOwn sessions, tools, and metrics

User Management

Adding Users:
  1. Navigate to Settings → Team
  2. Invite users by email
  3. Assign appropriate role
  4. Users receive secure invitation link
Best Practices:
  • Follow principle of least privilege
  • Regular access reviews (monthly recommended)
  • Remove access immediately upon role changes
  • Use team-based organization for easier management
Access Audit:
  • All access events are logged
  • Audit logs available for Admin role
  • Track login attempts, data access, and changes
  • Export audit logs for compliance

API Key Security

API Key Management

Key Creation: 
# Create API key via CLI
a24z api-keys create --name "Production Key"

# Keys are scoped by user role:
# - Regular users: otel:write only
# - Admins: otel:write, otel:read, admin:read
Security Model:
  • Backend determines all permissions (never client-controlled)
  • Keys are hashed and encrypted at rest
  • Only partial key shown after creation
  • Cannot retrieve full key after creation

Best Practices

Key Rotation

Manual Rotation: 
# Create new key
a24z api-keys create --name "Production Key v2"

# Update application configuration
export A24Z_API_KEY="sk_live_new_key..."

# Verify new key works
a24z status

# Revoke old key
a24z api-keys revoke <old-key-id>
Automated Rotation:
  • Can be implemented via your CI/CD pipeline
  • Store keys in secret management service
  • Rotate on schedule or on-demand
  • Zero-downtime rotation with overlap period

Monitoring Key Usage

Alerts to Configure:
  • Unusual usage patterns (spike in requests)
  • Geographic anomalies (requests from unexpected regions)
  • Failed authentication attempts
  • Usage approaching quota limits

Data Privacy

Data Collection

What We Collect:
  • Tool execution events (tool name, success/failure, duration)
  • Token usage metrics (input tokens, output tokens, costs)
  • Session metadata (session ID, timestamps)
  • User and organization identifiers
  • Error messages and logs
What We Don’t Collect:
  • ❌ Source code content
  • ❌ File contents being edited
  • ❌ Proprietary business logic
  • ❌ Customer data or secrets
  • ❌ Credentials or API keys

Data Retention

Default Retention:
  • Telemetry data: 90 days
  • Audit logs: 1 year
  • User data: Until account deletion
Custom Retention:
  • Configure retention policies per data type
  • Available for Enterprise plans
  • Compliance with GDPR, CCPA, HIPAA
Data Deletion: 
# Request data deletion
Contact [email protected] with:
- Organization ID
- Data types to delete
- Time range (optional)

Compliance

Regulatory Compliance:
  • ✅ SOC 2 Type II certified
  • ✅ GDPR compliant
  • ✅ CCPA compliant
  • 🔄 ISO 27001 (in progress)
  • 🔄 HIPAA compliance (available on request)
Data Processing Agreement:
  • Available for Enterprise customers
  • Covers data handling, security measures
  • Subprocessor list maintained
  • Annual security audits

Network Security

API Security

Transport Security:
  • TLS 1.3 required for all connections
  • Certificate pinning available
  • HSTS headers enforced
  • Perfect forward secrecy (PFS)
Request Security:
  • Rate limiting per API key
  • Request validation and sanitization
  • CORS policies enforced
  • DDoS protection
Authentication:
  • API key authentication required
  • Keys must be sent via x-api-key header
  • No authentication via query parameters
  • Automatic key validation and enrichment

IP Whitelisting

Configure IP Restrictions: 
# Add IP whitelist to API key
a24z api-keys update <key-id> \
  --whitelist "203.0.113.0/24,198.51.100.42"
Supported Formats:
  • Single IP: 203.0.113.42
  • CIDR range: 203.0.113.0/24
  • Multiple entries: comma-separated

Incident Response

Security Incident Process

Detection:
  1. Automated monitoring and alerts
  2. User reports via [email protected]
  3. Security team monitoring
Response:
  1. Incident classification and prioritization
  2. Containment and mitigation
  3. Investigation and root cause analysis
  4. Remediation and recovery
  5. Post-incident review
Notification:
  • Critical incidents: Within 24 hours
  • High severity: Within 72 hours
  • Contact: [email protected]
  • Status page: status.a24z.ai

Reporting Security Issues

Responsible Disclosure: If you discover a security vulnerability:
  1. Do NOT publicly disclose the issue
  2. Email [email protected] with:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Your contact information
  3. We will acknowledge within 24 hours
  4. We will provide updates every 72 hours
  5. We will credit you (if desired) after fix
Bug Bounty Program:
  • Coming soon for qualified security researchers
  • Rewards for responsibly disclosed vulnerabilities
  • Details at security.a24z.ai/bug-bounty

Security Checklist

Initial Setup

Ongoing Maintenance

Compliance Audit

Enterprise Security Features

Advanced Security (Enterprise)

Single Sign-On (SSO):
  • SAML 2.0 support
  • Integration with Okta, Azure AD, Google Workspace
  • Automatic user provisioning (SCIM)
  • Just-in-time (JIT) provisioning
Advanced Audit Logging:
  • Detailed event logging
  • Log export to SIEM tools
  • Real-time streaming to external systems
  • Long-term retention (7+ years)
Custom Security Policies:
  • IP whitelisting at organization level
  • Session timeout configuration
  • Password complexity requirements
  • MFA enforcement
Dedicated Infrastructure:
  • Dedicated database instance
  • Custom data residency (US, EU, APAC)
  • Private network access
  • Custom encryption keys (BYOK)

Compliance Support

Available for Enterprise:
  • Dedicated security team
  • Custom DPA and BAA agreements
  • Quarterly compliance reviews
  • Penetration testing reports
  • Security questionnaire assistance
  • Vendor security assessments

Security Resources

Documentation

Contact

Status & Transparency

  • System Status: status.a24z.ai
  • Security Updates: security.a24z.ai
  • Compliance Certifications: a24z.ai/compliance
  • Trust Center: trust.a24z.ai

Next Steps

CTO Playbook

Executive security strategy

Configuration Guide

Configure security settings

Troubleshooting

Security-related issues

FAQ

Security questions