Security
Enterprise Security
by Design
Security is not a feature we added. It's the foundation we built on. Every layer — from authentication to audit — is designed for organizations that handle sensitive data and cannot afford compromise.
Authentication & authorization
Identity, verified at every layer
StudAI BOS uses a multi-layered authentication and authorization model. Every API request is authenticated, every action is authorized against role and attribute policies, and every session is cryptographically verified.
JWT Token Authentication
Stateless, cryptographically signed JWT tokens with short expiration windows. Token refresh follows secure rotation patterns. No session state stored server-side.
RBAC — Role-Based Access Control
Predefined roles (Owner, Admin, Manager, Member, Viewer) with granular permissions per module, per action. Custom roles supported for enterprise plans.
ABAC — Attribute-Based Access Control
Policies evaluate contextual attributes: department, monetary threshold, time of day, geographic location. ABAC works alongside RBAC for fine-grained authorization.
Multi-Factor Authentication
MFA support with TOTP (time-based one-time passwords). Required for admin roles. Configurable enforcement policies per organization.
Row-Level Security
Every database query is filtered by organization ID at the query layer. There is no application-level trust boundary — isolation is enforced at the database engine level. A bug in application code cannot expose another tenant's data.
Namespace Isolation
Each organization operates in a logically isolated namespace. API keys, webhooks, workflow executions, and audit logs are scoped to the organization. No shared state between tenants.
Zero Cross-Org Data Leakage
AI models do not train on customer data. Cross-organization queries are architecturally impossible — the data access layer rejects any request that does not include a valid organization context.
Tenant isolation
Your data is yours alone
In a multi-tenant system, the question is never “do you isolate?” — it's “at what layer?” StudAI BOS enforces isolation at the database, application, and AI layers. There is no shared surface between tenants.
Infrastructure
Hosted on Azure India with enterprise-grade encryption
Azure India (Central & South)
Primary hosting in Azure Central India. Disaster recovery in Azure South India. Data does not leave Indian jurisdiction without explicit organizational consent.
Encrypted at Rest — AES-256
All data stored in databases, file storage, and backups is encrypted using AES-256 encryption. Encryption keys are managed via Azure Key Vault with automatic rotation.
Encrypted in Transit — TLS 1.3
All data in transit uses TLS 1.3. Internal service-to-service communication uses mutual TLS. No plaintext communication at any layer.
Azure Key Vault
All secrets, API keys, and encryption keys are stored in Azure Key Vault. Zero secrets in code, configuration files, or environment variables in production.
Automated Rotation
Secrets and keys follow automated rotation policies. Database credentials, API keys, and encryption keys rotate on configurable schedules without downtime.
Infrastructure as Code
All infrastructure is defined as code, version-controlled, and deployed through audited CI/CD pipelines. No manual server configuration.
Audit trail
Hash-chained, tamper-evident, exportable
Every action in StudAI BOS generates an audit event. Audit events are hash-chained — each event includes a SHA-256 hash of the previous event, creating a tamper-evident chain that any party can verify.
Before/After Snapshots
Every mutation captures the complete state before and after execution. Full diff visibility for compliance review and forensic analysis.
Tamper Detection
Continuous integrity verification. If any audit event is modified, deleted, or inserted out of sequence, the hash chain breaks and the system flags the anomaly immediately.
Exportable Logs
One-click export of audit logs in structured formats (JSON, CSV) for external audit firms, regulatory bodies, or internal compliance review.
Configurable Retention
90-day minimum retention on Growth plans. 365-day retention on Enterprise plans. Custom retention policies available for regulated industries.
API security
Protection at the network edge
Rate Limiting
Per-endpoint, per-user, and per-organization rate limits. Configurable thresholds with automatic throttling and clear error responses. Prevents abuse without impacting legitimate usage.
IP Whitelisting
Enterprise organizations can restrict API access to specific IP ranges. Useful for organizations with static office IPs or VPN exit nodes that want an additional layer of network-level access control.
API Key Management
Scoped API keys with configurable permissions and expiration dates. Keys are stored in Azure Key Vault with rotation support. Revocation is immediate and reflected across all endpoints.
Testing
Penetration Testing
StudAI BOS undergoes regular penetration testing by independent security firms. Testing covers web application security, API security, authentication bypass attempts, and infrastructure vulnerabilities. Results are remediated on a risk-prioritized timeline.
Enterprise customers can request the latest penetration test summary under NDA as part of their security assessment.
Disclosure
Vulnerability Disclosure
We operate a responsible vulnerability disclosure program. Security researchers who discover vulnerabilities can report them through our dedicated security contact channel. We acknowledge receipt within 24 hours, triage within 72 hours, and provide status updates every 7 days until resolution.
Contact: security@studai.co
Need a detailed security assessment?
Our team is available to walk through our security architecture, share penetration test summaries under NDA, and answer your security questionnaire.