Defense-in-depth, by default.
AES-256-GCM encryption-at-rest with HKDF key derivation. TOTP 2FA. JWT revocation watermark. Per-tenant audit log. ISO 13485 + 21 CFR Part 11 audit support. Built for the security questionnaire, not retrofitted.
Eleven security findings, all closed.
May 2026 audit closed 11 findings (2 critical, 5 high, 3 medium, 1 low) plus added TOTP encryption-at-rest. Every finding is documented in the BUG_TRACKER. Every fix has tests. The full security posture is published, not hidden behind an NDA.
Encryption-at-rest
TOTP secrets, R2 credentials, license keys — all AES-256-GCM with HKDF-SHA256 key derivation from SESSION_SECRET. Versioned envelope (enc:v1).
JWT revocation watermark
Per-user jwt_issued_at column. Logout, suspension, or password change bumps it; all live tokens for that user invalidate instantly.
TOTP 2FA + backup codes
Per-user TOTP with bcrypt-hashed backup codes. Pending vs active secret separation prevents TOCTOU.
Per-tenant audit log
Every CRUD operation logged with actor, tenant, before/after diff. Sensitive entities (passwords, secrets) auto-redacted.
21 CFR Part 11 e-signatures
Electronic signatures with intent attestation, timestamp, IP, and immutable record. Required for FDA-regulated change control.
Defense in depth
Username enumeration response normalization. Rate limiting via X-Forwarded-For with TRUSTED_PROXY_DEPTH. Read-audit logging on tenant-scoped reads.
"We sent Azora the security questionnaire we send all SaaS vendors. They returned it the next day with diff links to every commit that hardened each item. That was a first."
Customer, Security Lead, Class II Med Device co.11
Audit findings closed (May 2026)
AES-256
GCM at rest, with HKDF derivation
0
Plaintext secrets in any column
Get the security review pack.
Talk to sales — we'll send you the security questionnaire we've already filled out for two enterprise customers.