Security
Security is a product surface, not a paragraph. This page describes how we operate the Servora platform: infrastructure, data protection, access controls, monitoring, and the way we handle disclosure when something goes wrong.
Infrastructure
Servora runs on AWS with Railway as our application orchestration layer. Production workloads are isolated in their own environment with network-level boundaries. Database is managed Postgres with point-in-time recovery enabled and daily snapshots retained for thirty days.
Enterprise customers can request EU-resident infrastructure or a single-tenant deployment with a separately negotiated platform fee.
Encryption
All traffic is encrypted in transit with TLS 1.2 or higher. Data is encrypted at rest with AES-256. Database backups are encrypted with separately managed keys. Secret material is held in a dedicated secret store with audited access.
Access controls
Servora staff access to production is least-privilege and time-bound, gated behind SSO + hardware second factor. Production database access is audited and reviewed quarterly. Customer support has access only to the metadata required to resolve a ticket, never to your reports, evidence, or billing PII unless you explicitly invite us in.
Inside your tenant, role-based access controls are first-class. Owners can audit every read and write through the platform audit log; retention follows your tier with extensions available on Business Plus.
Monitoring
We run continuous monitoring across uptime, latency, error rate, and security signal. Anomalies page the on-call engineer through a 24/7 rotation. We also run regular vulnerability scans on dependencies and the application surface.
Compliance
SOC 2 Type II is in progress; we expect the first report mid-2026. We follow GDPR principles for EU personal data and CCPA for California consumer data. HIPAA workflows are available on Enterprise with a Business Associate Agreement.
Vulnerability disclosure
We welcome security research. Report findings to [email protected] with as much detail as you can share. We will acknowledge receipt within two business days, triage within five, and credit the reporter (if you'd like) once the fix has shipped.
We do not pursue legal action against researchers acting in good faith.
Contact
[email protected]. PGP key available on request.