Security
How Octyx protects organization data, sessions, and payments.
Report a vulnerability
Email security@octyx.app with a PoC and reproduction steps. We reply within one business day. No bug bounty yet — we gladly credit researchers in advisories.
security@octyx.appTransport & sessions
Public endpoints serve TLS 1.2+. Session cookies are HttpOnly, Secure, SameSite=Lax. State-changing API calls require CSRF tokens.
Tenant isolation
Every organization is UUID-scoped. API and workers filter by tenant; cross-tenant access is blocked in the application layer.
Files & secrets
Uploads go through a single file module into S3-compatible storage. Secrets come from environment only — never the repo.
Compliance
Practices align with Russian 152-FZ. Privacy questions: privacy@octyx.app.