Security

How Octyx protects organization data, sessions, and payments.

Report a vulnerability

Email security@octyx.app with a PoC and reproduction steps. We reply within one business day. No bug bounty yet — we gladly credit researchers in advisories.

security@octyx.app

Transport & sessions

Public endpoints serve TLS 1.2+. Session cookies are HttpOnly, Secure, SameSite=Lax. State-changing API calls require CSRF tokens.

Tenant isolation

Every organization is UUID-scoped. API and workers filter by tenant; cross-tenant access is blocked in the application layer.

Files & secrets

Uploads go through a single file module into S3-compatible storage. Secrets come from environment only — never the repo.

Compliance

Practices align with Russian 152-FZ. Privacy questions: privacy@octyx.app.