Enterprise Security

Built for teams that cannot afford mistakes

CentaurX is built on enterprise security principles: full human control, per-tenant data isolation, end-to-end encryption and complete traceability of every action.

verifiedHuman-in-the-Loop
verifiedNative RBAC
verifiedAES-256 Encryption
verifiedFull Audit Trail

CentaurX's 4 security pillars

Each pillar covers a different layer: operational, access control, data and traceability.

person_check

Human-in-the-Loop

No agent executes changes in your CRM without your explicit approval. Every action is proposed, not executed.

  • checkProposals with context, impact and alternatives
  • checkApproval by channel (UI, email, Slack)
  • checkInstant cancellation before execution
admin_panel_settings

Granular RBAC

Full control over who can do what. Predefined roles + customizable permissions per workspace.

  • checkRoles: Admin, Manager, Rep, Viewer
  • checkPermissions per module and action type
  • checkPer-tenant workspace isolation
shield_lock

Data Encryption

Integration tokens are encrypted with AES-256 before storage. No sensitive data travels in plain text.

  • checkAES-256 for HubSpot OAuth tokens
  • checkTLS 1.3 on all external connections
  • checkAutomatic session token rotation
fact_check

Audit Trail

Every agent action is logged with timestamp, approving user, payload and result. Immutable.

  • checkStructured log of all executions
  • checkExportable for compliance audits
  • checkConfigurable retention per plan

Implemented technical controls

Every control is live in production and validated with automated tests.

token

CSRF Protection

Double-submit CSRF tokens on all mutation routes. Implemented in csrf.ts with middleware validation.

lock

Token Encryption

tokenCrypto.ts encrypts all OAuth tokens with AES-256-GCM before persisting them to the database.

speed

Rate Limiting

Two layers: rateLimiter.ts (in-memory for dev) and rateLimiterRedis.ts (production) with sliding window per IP and tenant.

sanitizer

Prompt Sanitization

promptSanitizer.ts validates and cleans all inputs before sending them to the LLM to prevent prompt injection.

key

PKCE + OAuth 2.0

Authentication flow with PKCE (pkce.ts) for HubSpot. Eliminates the authorization code interception vulnerability.

verified_user

TOTP / 2FA

Two-factor authentication available via totp.ts. Compatible with Google Authenticator and any TOTP app.

hub

HubSpot integration: your data, under your control

CentaurX only reads and writes to HubSpot through HubSpot's official API. We never store copies of your CRM data outside HubSpot.

keyOfficial OAuth 2.0 with minimum required scopes
no_encryption_gmailerrorredNo contact data storage outside HubSpot
manage_accountsInstant access revocation from HubSpot

Shared responsibility model

As with any enterprise platform, security is a shared responsibility.

AreaCentaurXYour team
Infrastructure & encryptionCentaurX responsibility
User permissions & rolesTools providedConfiguration
Integration tokensEncryption & rotationRevocation if compromised
Data in HubSpotCustomer responsibility
AI action approvalProposal systemMandatory human approval
security

Security questions?

Our team responds in under 24h. Architecture documentation also available for enterprise.

mailContact the security team