How does Breeze RMM handle authentication?

Breeze supports multi-factor authentication (TOTP and optional SMS), role-based access control with middleware permission checks, scoped access across system, partner, and organization contexts, and API keys stored as SHA-256 hashes.

How does Breeze RMM protect tenant data?

Breeze enforces tenant isolation through request-scoped database context. Passwords use Argon2id hashing, tokens are persisted as hashes, and secrets are encrypted at rest with AES-256-GCM.

How do I report a security vulnerability in Breeze RMM?

Follow coordinated disclosure and report vulnerabilities privately at security@lanternops.io. The published policy targets acknowledgment within 48 hours. The full vulnerability disclosure policy is available on GitHub.

Trust center

Security and reliability transparency

Every security claim on this page links to the code or documentation that implements it. No marketing abstractions, just verifiable controls and open source.

16 controls across 4 domains Source: docs + code Last reviewed: March 2026

View security practices Browse docs

Identity and Access

4 controls

Authentication and authorization are layered for human users, API keys, and agents.

MFA support (TOTP and optional SMS) for user authentication.
Role-based access control with permission checks via middleware.
Scoped access model across system, partner, and organization contexts.
API keys are prefixed and stored as SHA-256 hashes, not plaintext.

Verify

Security Architecture Users and Roles Reference API Keys Reference

Tenant Isolation and Data Protection

4 controls

Data access is constrained with request-scoped database context and encrypted secret storage.

Tenant context is applied to database sessions with scoped values per request.
Passwords use Argon2id parameters defined in API services.
Session/API/agent tokens are persisted as hashes rather than raw token values.
Secrets are encrypted at rest with AES-256-GCM.

Verify

Security Practices (source) Security Architecture Secret Rotation Guide

Network and Application Security

4 controls

Breeze applies defense-in-depth controls at transport, request, and policy layers.

CORS allowlist model with wildcard rejection in production validation.
CSRF protection on sensitive cookie-authenticated flows using x-breeze-csrf.
Security headers include CSP, HSTS, X-Frame-Options, and Permissions-Policy.
Redis-backed sliding-window rate limiting is designed fail-closed if Redis is unavailable.

Verify

Security Architecture Security Hardening Guide Security CI Workflows

Monitoring, Audit, and Response

4 controls

Security-relevant activity is logged and operational procedures are documented.

Audit log events capture actor, action, resource, source IP, user agent, and outcome.
Asynchronous audit logging is used across mutating routes and services.
Backup, restore, and disaster recovery runbooks are documented.
Coordinated vulnerability disclosure policy includes response timelines.

Verify

Audit Logs Reference Backup and Restore Vulnerability Disclosure Policy

Transparency notes

Optional Agent mTLS

Cloudflare API Shield-based mTLS can be enabled for agent certificate issuance, renewal, and quarantine workflows.

SOC 2 Mapping

Breeze publishes SOC 2 Trust Services Criteria control alignment in documentation. This is a control mapping, not a public SOC 2 certification claim.

Open Source Transparency

Implementation details, workflows, and security docs are publicly inspectable in the Breeze repository.

Report a security issue

Follow coordinated disclosure and report vulnerabilities privately at [email protected]. The published policy targets acknowledgment within 48 hours.

Read disclosure policy Inspect source code