Security

Last updated: 2026-05-10

Authentication

Xentr uses Supabase Auth for user identity, with role-based access control across six canonical roles. SSO via SAML/OIDC is available on Growth and Enterprise tiers.

Edge identity

Edge devices enroll via single-use claim codes and operate under 90-day operational certificates issued by our internal PKI. Certs rotate before expiry and revocations propagate via CRL within 5 minutes. Phase 1 pilots are running now; broker mTLS roll-out is tracked in our public roadmap.

Encryption

All HTTP traffic is TLS 1.2+. Database storage is encrypted at rest by the underlying provider (Supabase, Railway). MQTT broker hardening for per-tenant ACL isolation is in active rollout (M4 of the v2 schema plan).

Audit logging

Every mutating action — order updates, role changes, edge enrollment, cert issuance, settings changes — is recorded in an append-only audit log with actor identity, timestamp, request id and before/after context. Audit records survive process crashes via fire-and-forget retry with Sentry fallback. Customer admins can export their org's audit trail at any time.

Vulnerability disclosure

Report suspected vulnerabilities to security@xentr.ai. We triage P0 reports within 24 hours and target a coordinated disclosure within 90 days. We do not currently offer paid bounties but credit researchers in our security advisories with permission.

Compliance roadmap

We are building toward ISO 27001 and SOC 2 Type II. ISA/IEC 62443 alignment for the edge platform is in scope. 21 CFR Part 11 readiness is on the roadmap for regulated-industry customers (pharma, medical device).

Contact

Security questions or incident reports: security@xentr.ai.

This page describes our current security posture. See the GitHub SECURITY.md for the technical disclosure policy.