Auditable by design
Every primitive below lives in the public monorepo. No black-box security theater — read the code, file issues, send PRs.
Security
Open source means auditable.
Serpaix is licensed under MIT and developed in the open. Every claim on this page maps to code in the public monorepo. Items marked On roadmap are tracked in our public issues and will be implemented before any general-availability claim.
Encrypted at rest and in transit
AES-256-GCM field encryption for sensitive columns, TLS 1.3 in transit, HSTS in production.
Real authentication, not a checkbox
Argon2id password hashing, TOTP-based 2FA, JWT with refresh rotation, SAML 2.0 SSO, SCIM 2.0 provisioning.
Audit logs that survive
Per-user audit log and per-org audit log. Every admin action is recorded with actor, target, and reason.
Security primitives
AES-256-GCM field encryption
AvailableSensitive fields (OAuth tokens, vault entries, secrets) are encrypted with authenticated AES-256-GCM.
Verified in apps/backend/src/lib/crypto.ts and Prisma column-level encryption.
TLS 1.3 in transit
AvailableAll network traffic is encrypted with TLS 1.3. Production deployments set HSTS with includeSubDomains.
Argon2id password hashing
AvailablePasswords are hashed with Argon2id (memory-hard, side-channel resistant).
Configurable cost parameters; never stored in plaintext or reversible form.
TOTP two-factor authentication
AvailableTime-based one-time passwords (RFC 6238) for an additional authentication factor.
Role-based access control
AvailableOwner, admin, editor, and viewer roles scoped to workspaces and resources.
Audit log
AvailableImmutable append-only event store records every state change with actor, target, and timestamp.
Per-user AuditLog and per-org OrgAuditLog tables — queryable in the admin dashboard.
GDPR data export
AvailableSelf-service export of all user data in JSON, Markdown, and CSV. Account deletion is permanent within 30 days.
Enterprise & compliance
These capabilities ship with the upcoming Enterprise plan or are tracked on our public roadmap. We don't claim anything on this list until the corresponding code is merged.
SAML 2.0 SSO
AvailableSingle sign-on via SAMLify. Compatible with Okta, Azure AD, ADFS, and any SAML 2.0 IdP.
SCIM 2.0 provisioning
AvailableAutomated user lifecycle from your IdP — provisioning, de-provisioning, and group sync.
IP allowlisting
AvailableCIDR-block network access control for the admin console and API.
Admin dashboard
AvailableOrg-wide usage analytics, member management, and governance controls.
HIPAA-grade data classification
On roadmapPHI tagging, classification-aware logging, and enhanced audit trail for healthcare workloads.
SIEM export
On roadmapAudit log streaming to Splunk, Datadog, Elastic, or your SIEM of choice.
SOC 2 Type II
On roadmapThird-party audit covering security, availability, and confidentiality trust criteria.
Bring-your-own-key (BYOK)
EnterpriseCustomer-managed encryption keys for the AES-256-GCM field layer.
Need something specific?
If your security review requires a control not listed here, tell us. We'll either confirm it's available, point you to the code, or add it to the roadmap publicly.