Skip to content

Trust Center

Security and Reliability Transparency

This page summarizes Breeze security controls using the live docs and implementation references in the Breeze codebase.

Source basis: docs + code Security practices doc updated: February 2026
View Security Practices Browse Docs

Identity and Access

Authentication and authorization are layered for human users, API keys, and agents.

  • MFA support (TOTP and optional SMS) for user authentication.
  • Role-based access control with permission checks via middleware.
  • Scoped access model across system, partner, and organization contexts.
  • API keys are prefixed and stored as SHA-256 hashes, not plaintext.

Evidence

Security Architecture Users and Roles Reference API Keys Reference

Tenant Isolation and Data Protection

Data access is constrained with request-scoped database context and encrypted secret storage.

  • Tenant context is applied to database sessions with scoped values per request.
  • Passwords use Argon2id parameters defined in API services.
  • Session/API/agent tokens are persisted as hashes rather than raw token values.
  • Secrets are encrypted at rest with AES-256-GCM.

Evidence

Security Practices (source doc) Security Architecture Secret Rotation Guide

Network and Application Security

Breeze applies defense-in-depth controls at transport, request, and policy layers.

  • CORS allowlist model with wildcard rejection in production validation.
  • CSRF protection on sensitive cookie-authenticated flows using x-breeze-csrf.
  • Security headers include CSP, HSTS, X-Frame-Options, and Permissions-Policy.
  • Redis-backed sliding-window rate limiting is designed fail-closed if Redis is unavailable.

Evidence

Security Architecture Security Hardening Guide Security CI Workflows

Monitoring, Audit, and Response

Security-relevant activity is logged and operational procedures are documented.

  • Audit log events capture actor, action, resource, source IP, user agent, and outcome.
  • Asynchronous audit logging is used across mutating routes and services.
  • Backup, restore, and disaster recovery runbooks are documented.
  • Coordinated vulnerability disclosure policy includes response timelines.

Evidence

Audit Logs Reference Backup and Restore Vulnerability Disclosure Policy

Optional Agent mTLS

Cloudflare API Shield-based mTLS can be enabled for agent certificate issuance, renewal, and quarantine workflows.

SOC 2 Mapping

Breeze publishes SOC 2 Trust Services Criteria control alignment in documentation. This is a control mapping, not a public SOC 2 certification claim.

Open Source Transparency

Implementation details, workflows, and security docs are publicly inspectable in the Breeze repository.

Report a Security Issue

Follow coordinated disclosure and report vulnerabilities privately at [email protected]. The published policy targets acknowledgment within 48 hours.

Read Disclosure Policy Inspect Source Code