Security Architecture

How Torvus Security protects your data

Comprehensive overview of Torvus Security's security architecture, including encryption, access controls, compliance, and threat protection.

---

Architecture Overview

Zero-Knowledge Design

Principle: Torvus cannot access your data, even if compelled.

How It Works:

1. Client-Side Encryption: Data encrypted on your device before upload
2. Key Management: Encryption keys never leave your device
3. Zero-Knowledge Server: Server stores only encrypted data

What Torvus Can See:

• Your email address and account metadata
• Vault names and descriptions (encrypted)
• File sizes and upload timestamps
• Recipient list (names and emails)
• Check-in activity

What Torvus Cannot See:

• Document contents (encrypted)
• Actual file names (encrypted)
• Vault contents (encrypted)
• Your master password (hashed)

---

Encryption

Data Encryption

Algorithm: AES-256-GCM (Advanced Encryption Standard, 256-bit keys, Galois/Counter Mode)

Why AES-256-GCM:

• Industry standard for sensitive data
• NIST-approved cryptographic algorithm
• Authenticated encryption (integrity + confidentiality)
• Resistant to known cryptographic attacks

---

Encryption-at-Rest

All data encrypted at rest:

• Documents: AES-256-GCM
• Metadata: AES-256-GCM
• Database: Transparent Data Encryption (TDE)
• Backups: AES-256-GCM

Key Storage:

• AWS KMS (Key Management Service) (Pending)
• Hardware Security Modules (HSM) (Pending)
• Keys rotated quarterly (Pending)
• Separate keys per customer (Pending - Enterprise)

---

Encryption-in-Transit

TLS 1.3 for all data transmission:

• Web application: HTTPS with TLS 1.3
• API: HTTPS with TLS 1.3
• Mobile apps: Certificate pinning + TLS 1.3
• Webhooks: HTTPS with TLS 1.3

Cipher Suites (in order of preference):

1. TLS_AES_256_GCM_SHA384
2. TLS_CHACHA20_POLY1305_SHA256
3. TLS_AES_128_GCM_SHA256

Certificate Authority: Let's Encrypt with automated renewal

---

Key Derivation

Master Key Derivation: PBKDF2 (Password-Based Key Derivation Function 2)

Parameters:

• Algorithm: PBKDF2-HMAC-SHA256
• Iterations: 100,000
• Salt: Unique per user (256-bit random)
• Output: 256-bit master key

Why PBKDF2:

• Slow by design (resists brute-force attacks)
• NIST-approved standard
• Well-tested and widely adopted

---

Document Encryption Flow

Upload Process:

1. User selects document in browser/app
2. Client generates unique encryption key (256-bit random)
3. Document encrypted with AES-256-GCM using generated key
4. Encryption key encrypted with user's master key
5. Encrypted document + encrypted key sent to server
6. Server stores encrypted data (cannot decrypt)

Download Process:

1. User requests document
2. Server sends encrypted document + encrypted key
3. Client decrypts encryption key using master key
4. Client decrypts document using decrypted encryption key
5. Document displayed to user

Result: End-to-end encryption. Server never has access to plaintext data.

---

Access Controls

Authentication

Multi-Factor Authentication (MFA) Required:

• TOTP (Time-based One-Time Password) - Recommended
• SMS (text message codes) (Pending)
• Hardware keys (YubiKey, Titan Security Key) (Pending - Enterprise)

Password Requirements:

• Minimum 12 characters
• Must include: uppercase, lowercase, number, special character
• Cannot be common password (checked against database of 10M+ compromised passwords)
• Cannot be reused (last 5 passwords remembered)

Password Hashing:

• Algorithm: Argon2id (winner of Password Hashing Competition)
• Parameters: Memory-hard, time-cost 3, memory-cost 64MB, parallelism 4
• Salt: Unique per user (256-bit random)

Why Argon2id:

• Most secure password hashing algorithm available
• Resistant to GPU/ASIC attacks
• Memory-hard (expensive to crack)

---

Session Management

Web Sessions:

• Duration: 24 hours (extendable)
• Secure cookies: HttpOnly, Secure, SameSite=Strict
• Session tokens: 256-bit random, cryptographically secure

Mobile App Sessions:

• Duration: 7 days with biometric authentication
• Duration: 24 hours without biometric
• Tokens stored in secure enclave (iOS Keychain, Android Keystore)

API Sessions:

• API keys: No expiration or configurable expiration (90 days, 1 year)
• Tokens: 256-bit random
• Rate limiting: 1,000-10,000 requests/hour (plan-dependent)

---

Authorization

Role-Based Access Control (RBAC):

User Roles:

• Owner: Full control over vault (create, read, update, delete)
• Admin: Manage vault and contents (cannot delete vault)
• Operator: View and upload documents
• Viewer: Read-only access

Permission Matrix:

Action	Viewer	Operator	Admin	Owner
View documents	✅	✅	✅	✅
Download documents	✅	✅	✅	✅
Upload documents	❌	✅	✅	✅
Delete documents	❌	❌	✅	✅
Add recipients	❌	❌	✅	✅
Configure policies	❌	❌	✅	✅
Delete vault	❌	❌	❌	✅

Recipient Permissions:

• Set when recipient is added to vault
• Can be changed by Admin or Owner
• Verified when vault is released

---

Access Audit Logs

All access logged:

• User ID and email
• Action performed
• Resource accessed
• Timestamp (UTC)
• IP address and geolocation
• User agent and device
• Success/failure status

Log Retention:

• Professional: 90 days
• Enterprise: 1 year (configurable up to 7 years)

Audit Log Access:

• Console: Settings → Audit Logs
• API: GET /v1/audit-logs
• Export: CSV, JSON (Professional/Enterprise)

Compliance: Audit logs immutable, tamper-evident

---

Infrastructure Security

Cloud Infrastructure

Hosting: Vercel (Frontend), Supabase (Backend/Database)

Regions:

• US-East (primary)
• US-West (failover) (Pending)
• EU-West (GDPR compliance) (Pending - Enterprise)
• Custom regions (Pending - Enterprise)

Services Used:

• Vercel: Frontend hosting and edge functions
• Supabase: PostgreSQL 15 database (encrypted)
• Supabase Storage: Document storage (encrypted)
• Vercel Edge Network: CDN (TLS 1.3, DDoS protection)
• Cloudflare: DNS and additional DDoS protection
• Additional AWS services (Pending):
  • KMS: Key management (HSM-backed) (Pending)
  • WAF: Web application firewall (Pending)
  • CloudTrail: Infrastructure audit logs (Pending)

---

Network Security

Virtual Private Cloud (VPC) (Pending):

• Isolated network per customer (Pending - Enterprise)
• Private subnets for database and application servers (Pending)
• Public subnets for load balancers only (Pending)
• NAT Gateway for outbound traffic (Pending)

Security Groups:

• Strict firewall rules
• Least privilege (deny-by-default)
• Application tier: Only HTTPS (443) from load balancer
• Database tier: Only PostgreSQL (5432) from application tier

DDoS Protection:

• Vercel DDoS protection (included)
• CloudFlare DDoS mitigation (active)
• AWS Shield (Pending - if migrating to AWS)

---

Server Security

Operating System:

• Ubuntu 22.04 LTS (Long Term Support)
• Automatic security updates
• Minimal installed packages (reduced attack surface)
• Immutable infrastructure (servers replaced, not patched)

Application Hardening:

• Non-root execution
• SELinux enabled (mandatory access control)
• File integrity monitoring (AIDE)
• Host-based intrusion detection (OSSEC)

Container Security:

• Docker containers (isolated processes)
• Read-only file systems
• No privileged containers
• Image vulnerability scanning (Trivy)

---

Database Security

PostgreSQL 15:

• Encryption at rest (TDE)
• Encryption in transit (TLS 1.3)
• Row-level security policies
• Parameterized queries (SQL injection prevention)

Backups:

• Automated daily backups
• Encrypted (AES-256-GCM)
• Multi-region replication
• Point-in-time recovery (7 days retention)

Access Control:

• Separate database credentials per application instance
• Least privilege (application can only access own tables)
• No public internet access (private subnet only)

---

Compliance & Certifications

SOC 2 Type II (Pending)

Status: In progress

Target Certification: 2026

Trust Service Criteria (Target):

• Security
• Availability
• Confidentiality
• Processing Integrity
• Privacy

Reports Available: Upon completion (NDA required)

---

ISO 27001:2013 (Pending)

Status: Planned

Target Certification: 2026

Scope: Information Security Management System (ISMS)

Target Certification Body: BSI or equivalent

---

GDPR Compliance

General Data Protection Regulation (EU)

Data Subject Rights:

• Right to access (export all data)
• Right to erasure ("right to be forgotten")
• Right to rectification (update information)
• Right to data portability (standard formats)
• Right to object (opt-out of processing)

Data Processing Agreements: Available for Enterprise customers (Pending)

Data Residency: EU data centers available (Pending - Enterprise)

Data Protection Officer (DPO): dpo@torvussecurity.com

---

CCPA Compliance

California Consumer Privacy Act (US)

Consumer Rights:

• Right to know what data is collected
• Right to delete personal information
• Right to opt-out of data sale (Torvus never sells data)
• Right to non-discrimination

---

HIPAA Compliance (Pending - Enterprise)

Health Insurance Portability and Accountability Act (US)

Status: Planned for Enterprise tier

Target: Available for Enterprise customers storing Protected Health Information (PHI)

Requirements (When Available):

• Business Associate Agreement (BAA)
• Enhanced audit logging
• Breach notification procedures
• Administrative, physical, and technical safeguards

Contact: compliance@torvussecurity.com

---

Threat Protection

Intrusion Detection

SIEM (Security Information and Event Management) (Pending):

• Real-time log analysis (Pending)
• Anomaly detection (Pending)
• Automated alerting (In development)
• 24/7 security operations center (SOC) (Pending - Enterprise)

Detection Capabilities:

• Brute-force authentication attempts
• Unusual access patterns
• Data exfiltration attempts
• Privilege escalation
• Suspicious API usage

---

DDoS Protection

Mitigation Layers:

1. CloudFlare: Layer 3/4 DDoS protection (network/transport)
2. AWS Shield: Layer 3/4/7 protection (application layer)
3. Rate Limiting: Application-level request throttling

Capacity: 10+ Tbps mitigation capacity

---

Malware Scanning

All uploaded documents are automatically scanned:

• ClamAV (open-source antivirus with 8M+ signatures) ✅
• Real-time scanning on upload ✅
• Automatic quarantine system ✅
• Archive scanning (ZIP, RAR, 7Z contents) ✅
• Signature updates every 2-4 hours ✅

Additional planned enhancements:

• VirusTotal API integration (59 antivirus engines) (Pending)
• Custom heuristics (Pending)

Quarantine: Infected files are immediately quarantined and flagged in the vault interface

---

Vulnerability Management

Vulnerability Scanning:

• Weekly automated scans (Nessus)
• Continuous dependency scanning (Snyk)
• Container image scanning (Trivy)

Penetration Testing:

• Annual penetration tests by third-party (Pending)
• Bug bounty program (Pending - HackerOne)

Patch Management:

• Critical: 24 hours
• High: 7 days
• Medium: 30 days
• Low: 90 days

---

Incident Response

Security Incident Response Plan (SIRP)

Phases:

1. Detection: Automated monitoring + manual review
2. Containment: Isolate affected systems
3. Eradication: Remove threat, patch vulnerabilities
4. Recovery: Restore services, verify integrity
5. Lessons Learned: Post-incident review, update procedures

---

Breach Notification

Timeline:

• Internal notification: Immediate (within 1 hour)
• Customer notification: 72 hours (if data affected)
• Regulatory notification: As required by law (GDPR: 72 hours)

Notification Methods:

• Email to account holder
• In-app notification
• Status page update (status.torvussecurity.com)
• Public disclosure (if widespread)

---

Business Continuity

Disaster Recovery:

• Multi-region architecture (US-East, US-West)
• Automated failover (< 5 minutes)
• Backup data centers (hot standby)

Recovery Objectives:

• RTO (Recovery Time Objective): 1 hour
• RPO (Recovery Point Objective): 15 minutes

Backup Strategy:

• Continuous replication to secondary region
• Daily full backups (retained 30 days)
• Quarterly archive backups (retained 7 years)

---

Security Operations

24/7 Security Monitoring (Pending - Enterprise)

Security Operations Center (SOC) (Pending):

• 24/7/365 monitoring (Pending - Enterprise)
• Real-time alert triage (Pending)
• Incident response coordination (Pending)

Monitored Systems:

• Application logs
• Infrastructure logs
• Network traffic
• Access logs
• Vulnerability scans

---

Security Team (Growing)

Current Team Structure:

• Security Lead
• Development team with security training
• Compliance Officer (Pending)
• Data Protection Officer (Pending)

Target Team Structure (As we scale):

• CISO (Chief Information Security Officer)
• Security Engineers
• Security Analysts
• Dedicated Compliance Officer
• Dedicated Data Protection Officer

Certifications:

• CISSP (Certified Information Systems Security Professional)
• CEH (Certified Ethical Hacker)
• OSCP (Offensive Security Certified Professional)

---

Responsible Disclosure

Bug Bounty Program (Pending)

Platform: Planned for HackerOne

Scope: All Torvus Security services

Planned Rewards:

• Critical: $5,000 - $10,000
• High: $1,000 - $5,000
• Medium: $500 - $1,000
• Low: $100 - $500

Launch Target: 2026

Current: Responsible disclosure via security@torvussecurity.com

---

Security Contact

Email: security@torvussecurity.com

PGP Key: Available at https://torvussecurity.com/security.txt

Response Time: 24 hours

---

Security Resources

Security Documentation

• Encryption & Data Protection: Detailed cryptography documentation
• Access Control: Authentication and authorization
• Security FAQ: Common security questions

External Resources

• Security Whitepaper: https://torvussecurity.com/whitepaper.pdf
• Compliance Reports: Available upon request (NDA required)
• Security Status: https://status.torvussecurity.com

---

Last Updated: October 24, 2025 Next Review: January 24, 2026