Platform Security
Overview
Section titled “Overview”RedCloud is a security product, and it holds itself to the standard it measures others against. This page documents the platform’s own security model for your security and procurement teams.
Secure-by-default principles
Section titled “Secure-by-default principles”| Principle | What it means |
|---|---|
| Secure by default | Production defaults to the safest behavior; there is no implicit insecure fallback |
| No silent downgrade | The system never silently drops from secure to permissive |
| Tenant isolation is an invariant | Enforced everywhere; unknown ownership is denied |
| Least privilege | No wildcard permissions, no implicit admin |
| Governed break-glass | Emergency access is off by default, scoped, reason-required, and audited |
| Fail fast | Startup is blocked in production on an unsafe configuration |
| Deny by default | If ownership or authorization is unclear, access is denied |
Authentication & authorization
Section titled “Authentication & authorization”Every route makes an explicit authentication decision, and authorization follows authentication. Sessions use short-lived access tokens with refresh; API keys are verified against the database and fail closed if that check can’t run. The high-impact admin actions additionally require MFA. See API Authentication and Permissions & Scopes.
Fail-fast startup
Section titled “Fail-fast startup”In production the backend refuses to start if required secrets are missing or weak, storage isn’t strict, dev mode is on, a tenant-bypass flag is set, or the database is unreachable. This makes an unsafe deployment fail loudly instead of running in a degraded state. See Configuration.
Centralized audit
Section titled “Centralized audit”Security-relevant actions are recorded through a single audit system with a structured schema — actor, tenant, action, and result — and a correlation ID, with no secrets in logs. This gives a consistent, queryable trail across the platform.
Command execution & secrets
Section titled “Command execution & secrets”External commands run through a centralized, sandboxed executor with timeouts and output redaction. Secrets are never written to logs, auto-generated secrets are refused in production, and the design is rotation-ready.