Skip to content

Trust Center

Security and Reliability Transparency

Every security claim on this page links to the code or documentation that implements it. No marketing abstractions — verifiable controls, open source.

16 controls across 4 domains Source: docs + code Last reviewed: March 2026
View Security Practices(opens in new tab) Browse Docs(opens in new tab)

Identity and Access

4 controls

Authentication and authorization are layered for human users, API keys, and agents.

  • MFA support (TOTP and optional SMS) for user authentication.
  • Role-based access control with permission checks via middleware.
  • Scoped access model across system, partner, and organization contexts.
  • API keys are prefixed and stored as SHA-256 hashes, not plaintext.

Verify

Security Architecture (opens in new tab) Users and Roles Reference (opens in new tab) API Keys Reference (opens in new tab)

Tenant Isolation and Data Protection

4 controls

Data access is constrained with request-scoped database context and encrypted secret storage.

  • Tenant context is applied to database sessions with scoped values per request.
  • Passwords use Argon2id parameters defined in API services.
  • Session/API/agent tokens are persisted as hashes rather than raw token values.
  • Secrets are encrypted at rest with AES-256-GCM.

Verify

Security Practices (source) (opens in new tab) Security Architecture (opens in new tab) Secret Rotation Guide (opens in new tab)

Network and Application Security

4 controls

Breeze applies defense-in-depth controls at transport, request, and policy layers.

  • CORS allowlist model with wildcard rejection in production validation.
  • CSRF protection on sensitive cookie-authenticated flows using x-breeze-csrf.
  • Security headers include CSP, HSTS, X-Frame-Options, and Permissions-Policy.
  • Redis-backed sliding-window rate limiting is designed fail-closed if Redis is unavailable.

Verify

Security Architecture (opens in new tab) Security Hardening Guide (opens in new tab) Security CI Workflows (opens in new tab)

Monitoring, Audit, and Response

4 controls

Security-relevant activity is logged and operational procedures are documented.

  • Audit log events capture actor, action, resource, source IP, user agent, and outcome.
  • Asynchronous audit logging is used across mutating routes and services.
  • Backup, restore, and disaster recovery runbooks are documented.
  • Coordinated vulnerability disclosure policy includes response timelines.

Verify

Audit Logs Reference (opens in new tab) Backup and Restore (opens in new tab) Vulnerability Disclosure Policy (opens in new tab)

Transparency Notes

Optional Agent mTLS

Cloudflare API Shield-based mTLS can be enabled for agent certificate issuance, renewal, and quarantine workflows.

SOC 2 Mapping

Breeze publishes SOC 2 Trust Services Criteria control alignment in documentation. This is a control mapping, not a public SOC 2 certification claim.

Open Source Transparency

Implementation details, workflows, and security docs are publicly inspectable in the Breeze repository.

Report a Security Issue

Follow coordinated disclosure and report vulnerabilities privately at security@lanternops.io. The published policy targets acknowledgment within 48 hours.

Read Disclosure Policy(opens in new tab) Inspect Source Code(opens in new tab)