FeaturesUse CasesBlogAPI ReferenceWhy CorePlexMLPricing
Start Free
Security

Enterprise Security

Security-first architecture with multi-layer authentication, granular access control, encryption at every layer, and compliance-ready audit infrastructure.

Security at every layer

From authentication to data storage, every component is designed with defense-in-depth principles to protect your ML workflows and sensitive data.

Authentication Stack

Multi-layer authentication supporting session-based UI access, API key authentication, OAuth providers, and enterprise SSO for seamless identity federation.

  • Secure cookie-based sessions with CSRF protection for browser UI
  • Bearer token authentication for API integrations and SDKs
  • OAuth 2.0 providers: Google and GitHub single sign-on
  • Enterprise SSO via SAML 2.0 and OpenID Connect (OIDC)

Role-Based Access Control

Granular project-scoped permissions with three defined roles. Every API endpoint enforces ownership verification before granting access to resources.

  • Owner: full control including member management and deletion
  • Editor: create and modify datasets, experiments, and deployments
  • Viewer: read-only access to project resources and dashboards
  • Ownership verification on every endpoint via require_project_owned()

Data Security

Defense-in-depth data protection with PostgreSQL row-level security, AES-256 encryption at rest, TLS 1.3 in transit, and private subnet database deployment.

  • PostgreSQL row-level security for tenant data isolation
  • AES-256 encryption at rest for all stored data and artifacts
  • TLS 1.3 encryption in transit for all API and UI connections
  • Databases deployed in private subnets with no direct internet access

Audit & Compliance

Comprehensive audit trail capturing every security-relevant event. Built-in compliance tooling for GDPR data export, right-to-erasure, and regulatory reporting.

  • Immutable audit log for authentication, access, and data operations
  • Security event tracking: failed logins, permission changes, key rotations
  • GDPR Article 20 data portability via full account data export API
  • Right-to-erasure: complete account and data deletion within 30 days

API Key Management

Secure API key lifecycle with scoped permissions, automatic rotation policies, and instant revocation. Keys are hashed at rest and never stored in plain text.

  • Create multiple API keys with descriptive labels per account
  • Scoped permissions: restrict keys to specific projects or endpoints
  • Configurable rotation policies with grace periods for migration
  • Instant revocation with real-time propagation across all services

Session Management

Dual authentication model with secure cookie sessions for the browser UI and stateless Bearer tokens for API consumers. Configurable expiration and idle timeout policies.

  • HttpOnly, Secure, SameSite cookie sessions with CSRF token validation
  • Stateless JWT Bearer tokens for API and SDK authentication
  • Configurable session expiration and idle timeout thresholds
  • Concurrent session limits with forced logout on password change
RBAC

Permission matrix

Project-scoped roles with clear permission boundaries. Every API call is verified against the caller's role before execution.

ActionOwnerEditorViewer
View projects & dashboards
Upload datasets & versions
Run AutoML experiments
Deploy models to endpoints
Configure alerts & retraining
Manage project members
Delete project & resources
Rotate & revoke API keys
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
SOC 2
Type II ready
99.9%
Uptime SLA
COMPLIANCE

Built for regulatory compliance

HIPAA
Health Insurance Portability and Accountability Act
PHI protection, access controls, audit trails
GDPR
General Data Protection Regulation
Data export, right to erasure, consent management
PCI-DSS
Payment Card Industry Data Security Standard
Cardholder data encryption, access logging
CCPA
California Consumer Privacy Act
Consumer data rights, opt-out, disclosure
PRACTICES

Security operations

Vulnerability management

Regular security audits and automated dependency vulnerability scans. Critical patches applied within 24 hours of disclosure.

Responsible disclosure

We maintain a responsible disclosure program and welcome security researchers to report vulnerabilities to security@coreplexml.io.

Incident response

Documented incident response plan with defined escalation paths, 24/7 on-call rotation, and post-incident review process.

Penetration testing

Annual third-party penetration testing of all external-facing services, APIs, and authentication flows with remediation tracking.