This Security Policy describes the technical and organizational controls CentaurX Inc. maintains to protect your data and ensure the secure operation of the CentaurX platform.

1. Security Architecture

CentaurX is built on a defense-in-depth security model with multiple independent layers of protection. Our security architecture prioritizes human control, data minimization, and full auditability of every action.

Human-in-the-Loop (HiTL): No agent action that modifies CRM data, sends communications, or creates records executes without explicit human approval. This design constraint limits both the blast radius of security incidents and the risk of unintended data modifications.

Tenant Isolation: All data, agent contexts, and HubSpot tokens are isolated at the tenant level. No data crosses tenant boundaries under any circumstances.

2. Authentication and Access Control

OAuth 2.0 with PKCE: HubSpot authentication uses the PKCE (Proof Key for Code Exchange) extension, eliminating the authorization code interception attack vector.

Role-Based Access Control (RBAC): The platform implements granular RBAC with predefined roles (Admin, Manager, Rep, Viewer) and fine-grained permissions by module and action type. All API requests are validated against the requesting user's permissions before execution.

Session Security: Session tokens are rotated on authentication and follow industry-standard expiration practices. Tokens are stored securely and never exposed in URLs or logs.

Two-Factor Authentication (TOTP): 2FA is available via any TOTP-compatible authenticator application (Google Authenticator, Authy, etc.).

3. Data Protection

Encryption at Rest: All OAuth integration tokens are encrypted with AES-256-GCM before being persisted to the database. Encryption keys are stored separately and rotated regularly.

Encryption in Transit: All connections use TLS 1.3 minimum. Older protocol versions are explicitly disabled.

Token Lifecycle: Integration tokens are encrypted immediately upon receipt and never stored in plaintext. Tokens can be revoked instantly through the platform UI or through the connected service (e.g., HubSpot).

4. Input Validation and Injection Prevention

Prompt Sanitization: All user-provided inputs that are processed by AI models pass through a dedicated sanitization layer that validates and cleans content to prevent prompt injection attacks.

CSRF Protection: All mutation routes are protected by double-submit CSRF tokens, validated at the middleware layer before any processing occurs.

Rate Limiting: The platform implements two-layer rate limiting: per-IP rate limiting for public endpoints and per-tenant rate limiting for authenticated API routes, using a sliding window algorithm.

5. Infrastructure Security

CentaurX is deployed on Google Cloud Platform with the following controls:

Network-level access controls and private VPC configuration
Container-based infrastructure with immutable deployment artifacts
Automated vulnerability scanning in the CI/CD pipeline
Separate production and development environments with no shared credentials

6. Audit Trail

Every agent action is recorded with a complete, immutable audit log including: timestamp, requesting user, action type, payload hash, approval status, and execution result. Logs are tamper-evident and retained according to the terms of your plan.

Audit logs are exportable for compliance and internal review purposes.

7. Vulnerability Disclosure

We operate a responsible disclosure program. If you discover a security vulnerability in the CentaurX platform, please report it to security@centaurx.io.

We commit to:

Acknowledging your report within 48 hours
Providing an initial assessment within 7 business days
Keeping you informed of our progress
Not pursuing legal action against researchers who follow responsible disclosure practices

8. Security Incident Response

In the event of a confirmed security incident affecting customer data, CentaurX will notify affected customers within 72 hours of confirmation, consistent with applicable legal requirements (including GDPR Article 33/34 where applicable).

9. Third-Party Security

CentaurX integrates with third-party platforms (HubSpot, Slack, Stripe, Google Workspace). Each integration uses the minimum necessary permissions and official OAuth 2.0 flows. We review the security posture of our integration partners and monitor for relevant security advisories.

10. Contact

Security questions: security@centaurx.io

For urgent security matters, include "URGENT" in the subject line.