Operational Overview
- Cloud-oriented architecture designed for deployment flexibility across major providers.
- Private-preview product access gated through authenticated user accounts.
- High-level public pipeline descriptions with no proprietary model or internal data-flow disclosure.
Website and API Controls
- TLS-enabled deployment expected at edge and application layers.
- Input validation and structured request handling for account authentication APIs.
- Security headers: CSP, anti-framing policy, strict referrer policy, and content-type hardening.
- Session cookies are HTTP-only and protected by same-site controls.
Data Protection Posture
- Passwords are stored as salted PBKDF2 hashes rather than plaintext.
- Protected account routes require a valid authenticated session.
- Operational data remains accessible only to authorized denovoX operators.
Infrastructure Notes (MVP)
- MVP currently tested with labs at Nazarbayev University.
- Infrastructure strategy remains cloud-agnostic.
- Connected tool surfaces from the VPS workspace are currently represented inside the account area as placeholders.
Responsible Disclosure
If you identify a potential vulnerability, report it privately to security@denovox.org with reproduction details and impact assessment.
We review reports in good faith and coordinate remediation communications directly with reporters.