Security

How Carlquist protects your data and systems. For compliance details and certification roadmap, see our Trust Center.

Security Model

Carlquist operates as a middleware layer between your legacy systems and modern applications. We follow a principle of minimal data residency: adapter payloads are transformed in memory and delivered to your endpoints. We do not store, inspect, or mine your business data. Our security model is built on defense in depth, least privilege, and separation of concerns.

Controls Summary

Control	Status	Details
TLS 1.3 (in transit)	Live	All connections encrypted with TLS 1.3. HSTS preload enabled.
AES-256 (at rest)	Live	All stored credentials and configuration encrypted at rest.
RBAC	Live	Role-based access control at org, project, adapter, and endpoint level.
Scoped API Keys	Live	Keys scoped to specific adapters and operations. Rotation supported.
Audit Logging	Live	All API calls, config changes, and admin actions logged with actor, IP, timestamp.
Field Masking	Live	PII and sensitive fields masked at the mapping layer before delivery.
CSP / Security Headers	Live	Strict Content Security Policy, HSTS, X-Frame-Options DENY, no inline scripts or styles.
SSO / SAML	Enterprise	Available on Enterprise plans. SCIM provisioning planned.
SOC 2 Type II	In Progress	Audit preparation underway. Target: Q3 2026.
Penetration Testing	Planned	Third-party pen test scheduled for Q2 2026. Results available for design partners.

Encryption

In Transit

All data in transit is encrypted using TLS 1.3 with modern cipher suites. HTTP Strict Transport Security (HSTS) is enforced with preload, includeSubDomains, and a one-year max-age. Downgrade attacks are prevented at the protocol level.

At Rest

Adapter credentials, API keys, and configuration data are encrypted at rest using AES-256. Encryption keys are managed through isolated key stores with automatic rotation. Adapter payload data is processed in memory and is not persisted to disk.

Key Management

Encryption keys are stored separately from encrypted data with strict access controls. Key rotation occurs on a regular schedule. Customer-managed keys (CMK) are on the roadmap for Enterprise customers.

Access Control

Authentication: Email/password with mandatory MFA, or SSO/SAML for Enterprise customers. API access uses scoped keys with configurable expiration.
Authorization: RBAC model with hierarchy: Organization → Project → Adapter → Endpoint. Permissions are additive and follow least privilege.
API Key Scopes: Keys can be scoped to read-only, specific adapters, specific endpoints, or admin operations. Each key has an audit trail.
Session Management: Sessions expire after inactivity. Concurrent session limits enforced per user.

Audit Logging

Carlquist maintains comprehensive audit logs for security and compliance purposes.

Events Captured

All API requests (method, path, actor, IP address, response code, timestamp)
Authentication events (login, logout, MFA challenges, failed attempts)
Configuration changes (adapter create/update/delete, mapping changes, policy changes)
Administrative actions (user invite, role change, key rotation, key revocation)
Data access events (query execution, export requests)

Retention & Export

Audit logs are retained for 90 days by default, with extended retention available on Enterprise plans. Logs can be exported in CSV format. SIEM integration (Splunk, Datadog, Elastic) is on the roadmap.

Secure Development Lifecycle

Code Review: All changes require peer review before merge. No direct pushes to production branches.
Dependency Scanning: Automated scanning for known vulnerabilities in third-party dependencies on every build.
Static Analysis: Linting and security-focused static analysis in CI pipeline.
Environment Isolation: Strict separation between development, staging, and production environments. No production data in non-production environments.
Release Process: Tagged releases with changelog. Rollback capability for every deployment.

Infrastructure

Hosting: Managed cloud infrastructure with provider-level physical security, SOC 2, and ISO 27001 certifications.
Network: Private networking between services. Public endpoints exposed through reverse proxy with rate limiting and DDoS mitigation.
Containers: Services run in isolated containers with read-only filesystems and no root access.
Backups: Automated encrypted backups with point-in-time recovery. Backup integrity verified on schedule.

Vulnerability Disclosure

Responsible Disclosure: If you discover a security vulnerability in Carlquist, please report it to security@carlquist.app. We acknowledge reports within 2 business days and aim to resolve critical issues within 7 days. We do not pursue legal action against good-faith security researchers.

Shared Responsibility

Carlquist Secures	Customer Secures
Platform infrastructure and runtime	Source system credentials and access
Adapter connection encryption	Schema correctness and data quality
Audit logging and monitoring	Webhook endpoint security
Key management and rotation	API key custody and rotation cadence
Patch management and updates	User access reviews and offboarding
Backup integrity and recovery	Downstream application security

Additional Resources

Trust Center — Compliance roadmap, certifications, and live security controls
Terms of Service — Usage terms and contractual framework
Privacy Policy — Data collection, retention, and your rights
security@carlquist.app — Security questions and vulnerability reports