Security & Compliance

Defense-in-depth, by default.

AES-256-GCM encryption at rest for TOTP secrets today, with HKDF key derivation — remaining secrets move under the same envelope Q3 2026. TOTP 2FA. JWT revocation watermark. Per-tenant audit log. ISO 13485 + 21 CFR Part 11 audit support. Built for the security questionnaire, not retrofitted.

Read-only demo · no signup · realistic seeded records

Multi-tenant topology illustrating tenant isolation
Captured from a real seeded Azora workspace.

What's hardened

Eleven findings, eleven fixes — every one published.

May 2026 audit closed 11 findings (2 critical, 5 high, 3 medium, 1 low) plus added TOTP encryption-at-rest. Every finding is documented in the BUG_TRACKER. Every fix has tests. The full security posture is published, not hidden behind an NDA.

01

Encryption-at-rest for TOTP secrets

TOTP secrets encrypted with AES-256-GCM, HKDF-SHA256 key derivation from SESSION_SECRET, versioned envelope (enc:v1). Remaining stored secrets move under the same envelope Q3 2026.

02

JWT revocation watermark

Per-user jwt_issued_at column. Logout, suspension, or password change bumps it; all live tokens for that user invalidate instantly.

03

TOTP 2FA + backup codes

Per-user TOTP with bcrypt-hashed backup codes. Pending vs active secret separation prevents TOCTOU.

04

Per-tenant audit log

Every CRUD operation logged with actor, tenant, before/after diff. Sensitive entities (passwords, secrets) auto-redacted.

05

E-signatures designed for Part 11 support

Electronic signatures with intent attestation, timestamp, IP, and an append-oriented record. Designed to support FDA-regulated change control.

06

Defense in depth

Username enumeration response normalization. Rate limiting via X-Forwarded-For with TRUSTED_PROXY_DEPTH. Read-audit logging on tenant-scoped reads.

Connected workflow

Security & Compliance works better when the context travels with it.

Azora keeps project work, quality evidence, people, suppliers, units, documents, and customer context on one shared operating core—without a sync job between every team.

  1. 01
    Encryption-at-rest for TOTP secrets

    TOTP secrets encrypted with AES-256-GCM, HKDF-SHA256 key derivation from SESSION_SECRET, versioned envelope (enc:v1). Remaining stored secrets move under the same envelope Q3 2026.

  2. 02
    JWT revocation watermark

    Per-user jwt_issued_at column. Logout, suspension, or password change bumps it; all live tokens for that user invalidate instantly.

  3. 03
    TOTP 2FA + backup codes

    Per-user TOTP with bcrypt-hashed backup codes. Pending vs active secret separation prevents TOCTOU.

  4. 04
    Per-tenant audit log

    Every CRUD operation logged with actor, tenant, before/after diff. Sensitive entities (passwords, secrets) auto-redacted.

“Most SaaS vendors answer security questionnaires by attaching a SOC2 PDF. Azora answers by linking to the commits. Every fix in the May 2026 third-party audit has a diff, a test, and a ticket. The full posture is published, not under NDA.”
Azora Solutions · From the May 2026 third-party security audit summary
11Audit findings closed (May 2026)
AES-256GCM for TOTP secrets at rest, with HKDF derivation
0Plaintext TOTP secrets in any column
Open beta nowFree, demo-first, and sales-provisioned within 24 hours.

At GA: one plan, every module—$29/paid editor/month annually or $35 monthly, 30-day full-feature trial, unlimited free read-only viewers, and a 5-editor minimum. Open-beta design partners lock $20/editor/month annually for 24 months from GA.

See it before you talk to sales

The technical brief, then the questionnaire.

Read the architecture brief for the schema, encryption, audit-log structure, and the full May 2026 third-party audit findings. Then send us your questionnaire — we'll return it with diff links.