01
Encryption-at-rest for TOTP secrets
TOTP secrets encrypted with AES-256-GCM, HKDF-SHA256 key derivation from SESSION_SECRET, versioned envelope (enc:v1). Remaining stored secrets move under the same envelope Q3 2026.
Security & Compliance
AES-256-GCM encryption at rest for TOTP secrets today, with HKDF key derivation — remaining secrets move under the same envelope Q3 2026. TOTP 2FA. JWT revocation watermark. Per-tenant audit log. ISO 13485 + 21 CFR Part 11 audit support. Built for the security questionnaire, not retrofitted.
Read-only demo · no signup · realistic seeded records
What's hardened
May 2026 audit closed 11 findings (2 critical, 5 high, 3 medium, 1 low) plus added TOTP encryption-at-rest. Every finding is documented in the BUG_TRACKER. Every fix has tests. The full security posture is published, not hidden behind an NDA.
01
TOTP secrets encrypted with AES-256-GCM, HKDF-SHA256 key derivation from SESSION_SECRET, versioned envelope (enc:v1). Remaining stored secrets move under the same envelope Q3 2026.
02
Per-user jwt_issued_at column. Logout, suspension, or password change bumps it; all live tokens for that user invalidate instantly.
03
Per-user TOTP with bcrypt-hashed backup codes. Pending vs active secret separation prevents TOCTOU.
04
Every CRUD operation logged with actor, tenant, before/after diff. Sensitive entities (passwords, secrets) auto-redacted.
05
Electronic signatures with intent attestation, timestamp, IP, and an append-oriented record. Designed to support FDA-regulated change control.
06
Username enumeration response normalization. Rate limiting via X-Forwarded-For with TRUSTED_PROXY_DEPTH. Read-audit logging on tenant-scoped reads.
Connected workflow
Azora keeps project work, quality evidence, people, suppliers, units, documents, and customer context on one shared operating core—without a sync job between every team.
TOTP secrets encrypted with AES-256-GCM, HKDF-SHA256 key derivation from SESSION_SECRET, versioned envelope (enc:v1). Remaining stored secrets move under the same envelope Q3 2026.
Per-user jwt_issued_at column. Logout, suspension, or password change bumps it; all live tokens for that user invalidate instantly.
Per-user TOTP with bcrypt-hashed backup codes. Pending vs active secret separation prevents TOCTOU.
Every CRUD operation logged with actor, tenant, before/after diff. Sensitive entities (passwords, secrets) auto-redacted.
“Most SaaS vendors answer security questionnaires by attaching a SOC2 PDF. Azora answers by linking to the commits. Every fix in the May 2026 third-party audit has a diff, a test, and a ticket. The full posture is published, not under NDA.”
At GA: one plan, every module—$29/paid editor/month annually or $35 monthly, 30-day full-feature trial, unlimited free read-only viewers, and a 5-editor minimum. Open-beta design partners lock $20/editor/month annually for 24 months from GA.
See it before you talk to sales
Read the architecture brief for the schema, encryption, audit-log structure, and the full May 2026 third-party audit findings. Then send us your questionnaire — we'll return it with diff links.