Security Overview
Torvus Security Platform is built with security at its core. This document provides an overview of our security architecture, practices, and commitments.
Our Commitment to Securityβ
Security is not an afterthought at Torvusβit's fundamental to everything we build. We employ industry-leading security practices to protect your sensitive data.
Core Security Principlesβ
- Defense in Depth: Multiple layers of security controls
- Least Privilege: Minimal access rights for users and systems
- Zero Trust: Verify every request, never assume trust
- Data Minimization: Collect and store only what's necessary
- Transparency: Clear communication about our security practices
Encryptionβ
Data at Restβ
All data stored in Torvus is encrypted using industry-standard encryption:
- Algorithm: AES-256-GCM encryption
- Key Management: Secure key derivation and wrapping
- Storage: Encrypted database fields for sensitive data
- Backups: Encrypted backups with separate encryption keys
Data in Transitβ
All data transmitted to and from Torvus is encrypted:
- TLS 1.3: Latest transport layer security protocol
- Certificate Pinning: Enhanced protection against man-in-the-middle attacks
- HTTPS Everywhere: All connections use HTTPS
- HSTS: HTTP Strict Transport Security enabled
End-to-End Encryptionβ
For highly sensitive vault contents:
- Client-Side Encryption: Data encrypted before leaving your device
- Zero-Knowledge Architecture: Server never sees encryption keys
- Forward Secrecy: Compromised keys don't expose past data
Authentication & Access Controlβ
Multi-Factor Authenticationβ
Torvus supports multiple authentication methods:
- WebAuthn/Passkeys: Biometric authentication with FIDO2 security keys
- TOTP: Time-based one-time passwords (Google Authenticator, Authy)
- Magic Links: Passwordless email authentication
- Email OTP: One-time password codes via email
Access Controlβ
Fine-grained access control system:
- Role-Based Access Control (RBAC): Predefined roles with specific permissions
- Row-Level Security (RLS): Database-level access controls
- Attribute-Based Access Control: Contextual access decisions
- Principle of Least Privilege: Users only get necessary permissions
Session Managementβ
Secure session handling:
- Short-Lived Tokens: Access tokens expire after 1 hour
- Refresh Tokens: Secure token rotation mechanism
- Session Invalidation: Immediate logout on security events
- Device Tracking: Monitor and manage active sessions
Infrastructure Securityβ
Hosting & Infrastructureβ
- Cloud Provider: Hosted on Vercel with Supabase backend
- Geographic Distribution: Data centers in multiple regions
- DDoS Protection: Cloudflare protection against attacks
- Network Isolation: Virtual private clouds and network segmentation
Database Securityβ
- PostgreSQL: Industry-standard relational database
- Row-Level Security: Database-enforced access controls
- Encrypted Connections: All database connections use SSL/TLS
- Regular Backups: Automated encrypted backups with point-in-time recovery
Application Securityβ
- CSRF Protection: Double-submit cookie pattern
- XSS Prevention: Content Security Policy and input sanitization
- SQL Injection Protection: Parameterized queries and ORM
- Rate Limiting: API and authentication rate limits
- Input Validation: Strict validation of all user inputs
- Malware Scanning: Automated virus detection on all uploaded files
Malware Protectionβ
Every document uploaded to Torvus is automatically scanned for malware:
- ClamAV Engine: Industry-standard open-source antivirus with 8M+ signatures
- Real-Time Scanning: Files scanned within seconds of upload
- Automatic Quarantine: Infected files immediately isolated
- Archive Scanning: Contents of ZIP, RAR, 7Z files scanned
- Signature Updates: Virus database updated every 2-4 hours
- Performance: Average scan time < 1 second for most files
Protection Against:
- Known malware (viruses, trojans, ransomware, spyware)
- Malicious macros in Office documents
- Infected executable files
- Archive bombs and malicious compressed files
Learn more about Malware Scanning β
Audit Loggingβ
Comprehensive audit logging for compliance and security:
What We Logβ
- Authentication Events: Login, logout, failed attempts
- Access Events: Document access, vault opens, recipient views
- Modification Events: Creates, updates, deletes
- Administrative Actions: Permission changes, user management
- Security Events: MFA changes, session invalidations
Log Retentionβ
- Retention Period: Minimum 90 days, configurable up to 7 years
- Tamper-Proof: Append-only logs with cryptographic integrity
- Access Controls: Restricted access to audit logs
- Export: Ability to export logs for compliance
Compliance & Certificationsβ
Current Complianceβ
- GDPR: General Data Protection Regulation compliance
- CCPA: California Consumer Privacy Act compliance
- Data Protection: Strong data protection and privacy controls
Planned Certifications (Pending)β
- SOC 2 Type II: Security, availability, and confidentiality (Pending)
- ISO 27001: Information security management (Pending)
- HIPAA: Healthcare data protection (Pending - Enterprise)
Security Practicesβ
Secure Developmentβ
- Security Training: Regular security training for all developers
- Code Reviews: Mandatory peer review for all code changes
- Static Analysis: Automated security scanning of codebase
- Dependency Scanning: Regular vulnerability scans of dependencies
- Penetration Testing: Annual third-party security assessments
Incident Responseβ
- Incident Response Plan: Documented procedures for security incidents
- 24/7 Monitoring: Continuous security monitoring and alerting
- Rapid Response: Dedicated security team for incident handling
- Disclosure Policy: Responsible disclosure of security issues
Vulnerability Managementβ
- Patch Management: Rapid deployment of security patches
- Vulnerability Scanning: Regular automated and manual scans
- Bug Bounty Program: Planned reward program for security researchers (Pending)
- CVE Tracking: Monitor and respond to published vulnerabilities
Data Privacyβ
Data Collectionβ
We practice data minimization:
- Necessary Data Only: Collect only what's required for functionality
- Transparent Collection: Clear disclosure of data collection
- User Control: Users control their data and can export/delete
- Anonymization: Analytics data is anonymized where possible
Data Retentionβ
- Retention Policies: Clear retention periods for different data types
- Soft Deletes: 7-day grace period for accidental deletions
- Hard Deletes: Permanent deletion after grace period
- Right to Erasure: Complete data deletion on request
Data Sharingβ
- No Third-Party Sharing: Data not shared with third parties
- Service Providers: Limited sharing with essential service providers
- Legal Requirements: Disclosure only when legally required
- User Control: Users control sharing preferences
Physical Securityβ
Data Center Securityβ
Our cloud providers maintain:
- 24/7 Security: Round-the-clock physical security
- Access Controls: Biometric access to data centers
- Video Surveillance: Continuous monitoring
- Environmental Controls: Fire suppression, climate control
Reporting Security Issuesβ
We take security vulnerabilities seriously and appreciate responsible disclosure.
How to Reportβ
Email: security@torvussecurity.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information
Our Commitmentβ
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 48 hours
- Status Updates: Regular updates on progress
- Credit: Public credit for responsible disclosure (if desired)
What to Expectβ
- We'll acknowledge your report within 24 hours
- We'll provide an initial assessment within 48 hours
- We'll keep you informed of our progress
- We'll notify you when the issue is resolved
- We'll give you credit for the discovery (if desired)
Security Resourcesβ
Documentationβ
External Resourcesβ
Contactβ
- Security Team: security@torvussecurity.com
- General Support: support@torvussecurity.com
- Privacy Questions: privacy@torvussecurity.com
Last Updated: October 2025