Security & Compliance

Your data stays with you. With proof.

ShamashAi's security architecture — at-rest + in-transit encryption, RBAC + MFA, append-only audit, KVKK Article 12 and ISO 27001:2022 Annex A evidence-mapped reporting. Production hardening checklist and air-gap deployment.

AES-256-GCM at rest
Ed25519-signed license
TOTP MFA + policy
OIDC SSO
ISO 27001 + KVKK

AT-REST

  • · Device credentials → AES-256-GCM (CREDENTIAL_KEY)
  • · API keys → limited by trustHost
  • · Web push subscriptions → GCM AEAD
  • · Agent token → SHA-256 hash (no plaintext in DB)
  • · Password → scrypt (N=16384, r=8, p=1)
  • · License key → Ed25519-signed JWT
  • · MFA secret → encrypted (CREDENTIAL_KEY)

IN-TRANSIT

  • · Web ↔ API → HTTPS (reverse proxy) · TLS 1.2+
  • · Agent ↔ API → HTTPS · Bearer token
  • · SQL ↔ API → TLS optional · trustServerCert env
  • · Fortigate ↔ API → HTTPS REST · trusted host
  • · vCenter ↔ Agent → HTTPS REST · InsecureTls flag
  • · Helmet middleware → CSP, X-Frame-Options
  • · CORS → SHAMASHAI_CORS_ORIGINS, wildcard forbidden

User authentication

TopicDetail
AlgorithmJWT HS256 · JWT_SECRET min 32 chars
Passwordscrypt (N=16384, r=8, p=1)
CookieHttpOnly · SameSite=Lax · Secure (prod)
TTL7 days default · jti session row, revocable
BootstrapFirst admin via env ADMIN_EMAIL + ADMIN_PASSWORD

3-role RBAC

RolePermissions
adminEverything: users, license, retention, settings, delete
analystEvent triage, incident close, SOAR block + quarantine, alert rule authoring
viewerView only · export · reporting

Project-scoped membership: the same user can have different roles in different projects. The backend enforces effectiveProjectRole(userRole, membershipRole) minimum at every endpoint. Analyst-role users can be further restricted with per-category permissions — e.g. "only firewall + switch visible, hide identity and database".

OIDC SSO (corporate identity provider)

  • Standard OpenID Connect Authorization Code flow + PKCE
  • Issuer, client_id and client_secret defined via env
  • Login page shows a "Sign in with company SSO" button when OIDC is on; the local password form remains as an admin fallback
  • User auto-provisioned from OIDC profile claims (email, name); default role assigned by admin on first sign-in
  • Endpoints: /auth/oidc/status, /auth/oidc/start, /auth/oidc/callback
  • Tested with Entra ID, Okta, Keycloak, Authelia and standard OIDC providers

OIDC is the clean way to delegate MFA to the identity provider — the IT manager manages one MFA policy in Entra/Okta, ShamashAi's local MFA stays off.

MFA policy enforcement

The admin panel governs MFA enforcement in three modes:

  • off — MFA optional (not the default — not recommended for production)
  • admins — required for admin-role users only (default)
  • all — required for all users including viewers

Policy changes are written to the audit log. When MFA becomes mandatory, the user is redirected to TOTP enrollment on next login; they can't reach internal pages until they complete it.

MFA · TOTP + QR code

  • beginUserMfaSetup → 32-char secret + otpauth_uri (QR generated)
  • verifyUserMfaSetup → 6-digit code verification (TOTP, SHA-1, 30s window)
  • disableUserMfa → user disables their own (current TOTP required)
  • resetUserMfaAdmin → admin resets someone else's MFA (audit logged)
  • Login flow: password OK → if MFA enabled, prompt for 6-digit code → session start

Session management

  • listUserSessions(userId, limit=20) — IP, user agent, last_used, expires_at
  • revokeUserSession(userId, jti) — single session
  • revokeUserSessions(userId, exceptJti?) — everything else

Agent token

  • Format: shamashai_agent_<base64>
  • Stored: SHA-256 hash (no plaintext in DB)
  • Per-project scope
  • Plaintext shown once (at creation), unrecoverable afterwards
  • Revocable, last_used_at tracked
TableRetentionNotes
eventsDefault 90 daysPer-project tunable projects.retention_days
reachability_logsSeparate (default 30 days)Health checks — kept out of events
audit_logForeverAppend-only · retentionless for forensics
soar_actionsForeverAppend-only · evidence
maintenance_windowsForeverPast windows preserved
5651 legal archive2 yearsv1.5 roadmap (S3/MinIO)

Nightly job: DELETE FROM events WHERE timestamp < NOW - retention_days. Manual run + stats endpoint for tracking. Retention changes are audit-logged.

Compliance
Compliance · evidence-mapped reports

ISO/IEC 27001:2022 Annex A — 19 controls

  • Organizational (A.5) — Threat intelligence, Acceptable use, Incident management, Event assessment, Incident response, Evidence collection
  • People (A.6) — Awareness/training
  • Technological (A.8) — Privileged access (A.8.2), Secure auth (A.8.5), Malware protection (A.8.7), Vulnerability mgmt (A.8.8), Configuration (A.8.9), Information deletion (A.8.10), Data leakage (A.8.12), Logging (A.8.15), Monitoring (A.8.16), Clock sync (A.8.17), Network security (A.8.20), Web filtering (A.8.23)

KVKK Article 12 — 6 sub-articles

  1. Preventing unauthorized access
  2. Log retention
  3. Retention policies
  4. Penetration test evidence
  5. Breach notification
  6. Audit readiness

Status computation

Each control has a min_evidence_count threshold. If event count exceeds it, the control is Covered; if events exist but fall short, it's Partial; if there are none, it's No evidence. Drilldown shows the evidence events in a list — ready for the auditor.

Export

  • Print/PDF — clean stylesheet → "Save as PDF" via the browser
  • CSV — control × status matrix
  • Evidence pack — JSON + Markdown + HTML, downloadable ZIP
Audit log
Audit log · who changed what, when

Every mutating action is appended to dbo.audit_log:

  • timestamp, actor (user email)
  • action — e.g. device.create, device.delete, credential.update, soar.block, license.set
  • target_type, target_id, target_name
  • detail — JSON (which fields changed)
  • ip — caller IP

Audit records survive project deletion (for forensics). Filters: action prefix, target. Last 500 entries by default, CSV export available.

At boot, validateRuntimeConfig() runs the checks below; an incompatible prod configuration is rejected:

JWT_SECRET
Must be set and ≥ 32 chars
CREDENTIAL_KEY
Must be set (32-byte hex, AES-256-GCM)
SQL_PASSWORD
Must be set, not the dev password
SHAMASHAI_CORS_ORIGINS
Explicit list, wildcards forbidden
ALLOW_UNAUTH_INGEST
Must be false in production
SQL_TRUST_SERVER_CERTIFICATE
Warning logged when true

The Operations page exposes GET /operations/preflight which shows all checks on a single screen — every item must be green before going live.

  • No telemetry — phone-home is optional (only v2 license heartbeat)
  • Customer data never goes to AI training (Anthropic API contract)
  • Credentials are NEVER sent to AI — only anonymous fingerprint + sample
  • AI output language is the customer's choice — Turkish by default, EN option; sample logs are passed through redactSensitiveText() before going to AI
  • WhatsApp access token is stored AES-256-GCM encrypted; audit-logged with masking
  • Synthetic demo dataset — isolated from production data; tagged demo:synthetic, "Remove demo data" only deletes tagged rows, real events untouched
  • Air-gap deployment can disable all outbound traffic
  • Backup/restore — JSON snapshot, single file, customer-controlled
  • Per-deployment isolation — multi-tenant code exists but is dormant; single-org experience is the priority

Get in touch for the security questionnaire

We have a detailed security questionnaire ready for your CISO. Pen-test results are shared under the pilot SOW.