TerawattIQTerawattIQ
Legal

Security

Last updated: May 6, 2026

TerawattIQ is built for buyers in regulated industries. This page documents the architecture and controls we operate today, and the certifications on our roadmap.

Architecture

  • Hardened container fleet running as a non-root user with read-only root filesystems and all Linux capabilities dropped except those strictly required.
  • Separate Postgres + PostGIS database instances per environment; no production data ever flows to staging.
  • Edge layer enforces HSTS, strict CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, and per-route rate limiting.
  • Application layer enforces session cookies (httpOnly, Secure, SameSite=strict) plus double-submit CSRF tokens on every mutation.

Encryption

  • TLS 1.3 across all public endpoints. HSTS with preload enabled.
  • AES-256 at rest for both primary database and object storage.
  • Passwords stored with PBKDF2-SHA256, 200,000 iterations, per-user salt.

Access control

  • Role-based access on every API: viewer and admin roles, with future support for custom roles on the Team plan.
  • Admin actions are logged immutably with actor, IP, user-agent, and resource references.
  • API keys are hashed at rest; only a key preview is ever displayed after creation.
  • SSO / SAML / OIDC federation available on Team and Enterprise plans.

Monitoring & incident response

  • Prometheus metrics, Loki logs, Grafana dashboards on every production node.
  • 24×7 on-call rotation for Team and Enterprise customers.
  • Security incidents disclosed to affected customers within 72 hours.

Backups & recovery

  • Automated daily database snapshots, retention 7d / 4w / 6m.
  • Optional S3-compatible offsite replication.
  • Recovery objective (RTO) 4 hours; recovery point objective (RPO) 24 hours.

Compliance posture

  • GDPR / CCPA — data subject rights honored today (export, correct, delete from your account settings, or by emailing privacy@).
  • SOC 2 Type II — on the roadmap. We have the controls in place (audit logging, RBAC, encryption, change management); independent attestation is paid work we will commission once revenue justifies it. We are not currently SOC 2 Type II certified.
  • HIPAA — single-tenant deployment available on Enterprise. The standard multi-tenant offering is not HIPAA-attested.

Reporting vulnerabilities

Email [email protected] with the details. We respond within one business day. Please give us 90 days to remediate before public disclosure. We do not currently run a paid bug-bounty program; we credit reporters in our security acknowledgments.