Keeping your account, your apps and your data safe is a core part of building Sentrix — not an
afterthought. This page summarises the main controls we have in place. If you have a security question
we haven’t answered here, or you’d like to report an issue, see “Reporting a
Vulnerability” below.
1. Account & Access Security
- Passwords are never stored in plain text — they are hashed with bcrypt before being saved.
- Sessions use short-lived JSON Web Tokens with rotating refresh tokens, so a leaked access token has a limited window of use.
- Optional time-based one-time-passcode (TOTP) multi-factor authentication is available on accounts via any standard authenticator app, and is required for platform-administrator access.
- Role-based access control (viewer, builder, organisation admin, platform admin) ensures people only see and do what their role allows.
- Each organisation’s projects, users and published apps are logically isolated from every other organisation’s.
2. Encryption
- Traffic between your browser, our apps, and our servers is encrypted in transit using TLS.
- Databases and backups are encrypted at rest.
3. Application & Code Security
- We run continuous automated dependency and static-analysis scanning across our codebase to catch known-vulnerable packages and risky code patterns before they reach production.
- Code changes go through review before being deployed.
- We follow the principle of least privilege for internal tools and infrastructure access — engineers only get the access they need to do their job.
4. Infrastructure
- The Service runs on containerised infrastructure with separated production, staging and development environments, so changes are tested before they reach your data.
- Access to production systems is restricted to authorised personnel, protected by multi-factor authentication, and logged.
- We take regular automated backups and periodically test our restore process.
5. Monitoring, Auditing & Incident Response
- Platform activity — including an administrator audit log of sensitive actions — is recorded centrally so unusual behaviour can be detected and investigated.
- We maintain an internal incident-response process to triage, contain and remediate security issues. Where an incident affects your data, we will notify you in line with our contractual and legal obligations and without undue delay.
6. Your Responsibilities
Security is a shared responsibility. To help keep your account and apps safe:
- Use a strong, unique password and enable multi-factor authentication on your account.
- Keep any third-party credentials you configure — for example AI-provider API keys used by the AI Assistant, or webhook secrets used by your scripts — confidential, and rotate them if you suspect they’ve been exposed.
- Apply sensible access controls and data-handling practices within the apps you design and publish, especially where they collect personal data from your own end users.
- Keep the people who have access to your organisation’s Sentrix account up to date, and remove access promptly when someone leaves.
7. Reporting a Vulnerability
We welcome reports from security researchers and users acting in good faith. If you believe you’ve
found a security vulnerability in Sentrix:
- Email us at security@sentrix.build with enough detail for us to understand and reproduce the issue (steps, affected URL/feature, and impact).
- Give us a reasonable opportunity to investigate and address the issue before disclosing it publicly.
- Avoid actions that could harm the Service or other users — for example, do not access, modify or delete data that isn’t yours, and do not run automated scanning tools that could degrade the Service.
We will acknowledge your report, keep you reasonably informed of our progress, and credit you (if you
wish) once the issue is resolved. Research conducted in line with this policy is considered authorised
and we will not pursue legal action over it.
8. Questions
For anything else security-related, contact security@sentrix.build.
For how we handle personal data, see our Privacy Policy.