Security

How Neural Detective protects your data at every layer — from the network edge to the database row.

Data Isolation

Multi-tenant architecture with database-enforced boundaries.

PostgreSQL Row-Level Security

Every tenant-scoped table has a row-level security policy that filters rows by organization. Enforced by Postgres itself — not application code — so even a bug in our controllers cannot leak data across tenants.

Per-Request Tenant Context

Each request sets a Postgres session variable (SET LOCAL) with the authenticated organization ID. RLS policies reference this variable, ensuring queries never return another tenant's rows.

UUID Primary Keys

All records use UUIDv4 identifiers instead of sequential integers. Resource IDs cannot be guessed or enumerated.

Encryption

Data protected in transit and at rest.

TLS Everywhere

All traffic is encrypted with TLS. HTTPS is enforced in production with HSTS headers, and plaintext HTTP requests are automatically redirected.

Encrypted Sensitive Attributes

Protected attribute values (gender, age group, etc.) used for bias monitoring are encrypted at the application layer using Rails encrypted attributes before being written to the database.

Hashed API Keys

API keys are SHA-256 hashed before storage. We never store the raw token — it is shown once at creation and cannot be retrieved again.

bcrypt Password Hashing

User passwords are hashed with bcrypt using a cost factor of 12 in production. Raw passwords are never stored or logged.

API Security

Authentication, signing, and defence in depth.

Bearer Token Authentication

Every API request requires a valid API key in the Authorization header. Keys are prefixed (nd_live_) for easy identification and can be revoked instantly from the dashboard.

HMAC-Signed Webhooks

Outbound webhook payloads are signed with HMAC-SHA256 using a per-endpoint signing secret. The signature is delivered in the X-Signature-256 header so you can verify authenticity.

Strong Parameter Whitelisting

All controller actions use explicit parameter permit lists. Blanket permit is forbidden by project policy and enforced in code review.

Application Security

Headers, policies, and browser protections.

Content Security Policy

A strict CSP restricts script, style, image, and frame sources. frame-ancestors is set to 'none' to prevent clickjacking.

Sensitive Parameter Filtering

Passwords, tokens, API keys, SSNs, and other sensitive values are automatically redacted from application logs.

Separate Admin Authentication

The internal admin panel uses an isolated authentication realm with its own credentials, separate from customer accounts.

Continuous Security Testing

Automated checks on every commit.

Brakeman

Static analysis scanner that checks for SQL injection, XSS, mass assignment, and other Rails-specific vulnerabilities on every CI run.

bundler-audit

Checks all Ruby gem dependencies against the Ruby Advisory Database for known CVEs before every deploy.

importmap:audit

Scans vendored JavaScript dependencies for known vulnerabilities.

Questions about our security practices?

We're happy to discuss our architecture, answer security questionnaires, or schedule a call with our team.

Contact Us