Security Measures
Our applications and operations are designed from the ground up to be highly secure. We employ foundational, time-tested security approaches proven across the industry for decades. We do not rely on opaque third-party services or unmanaged cloud functions. Every component of our software is developed with security as a core focus, and we manage its operations at the lowest levels.
At Abyrint, the security of your data is fundamental to our platform design and operations. We employ a multi-layered security strategy, encompassing the application, the network, and our underlying infrastructure, to ensure the confidentiality, integrity, and availability of your information. This page provides a factual overview of our security measures.
Security Governance & Best Practices
We align our design and operations with established, industry‑recognized frameworks (e.g. OWASP Top Ten, NIST Cybersecurity Framework) and follow rigorous internal governance:
Regular internal audits (code reviews, configuration scans) and penetration tests.
Continuous vulnerability management using automated SAST/DAST tools.
Dedicated security steering committee to review incident metrics, threat intelligence, and roadmap.
Application Security
Our applications are designed with security as a core principle, from authentication and access control to data encryption and platform integrity.
Platform Access
The Abyrint Connect platform is available exclusively through our official web applications.
- Main Application:
https://connect.abyrint.com - Data Collection App:
https://collect.abyrint.com
The data collection app is a Progressive Web App (PWA) and can be installed directly on your device from the webpage for offline use. It is also available on the Google Play Store. For Apple iOS users, the app can be installed on your home screen directly from the Safari browser.
Security Warning: For your protection, you should only access our services through these official URLs. Never follow links or accept invitations from unverified sources. The platform has server-side controls to block unauthorized external scripts and mitigate risks like cross-domain attacks.
Authentication and Access Control
We enforce strong, modern authentication methods to protect your account and session integrity.
- Two-Factor Authentication (2FA) is Default: 2FA is mandatory for all users to provide a critical layer of security beyond just a password.
- Primary 2FA Method - Passkeys: By default, we use Passkeys for two-factor authentication. This modern, phishing-resistant standard is supported by all major browsers and device manufacturers (Apple, Google, Microsoft) and provides superior security by replacing vulnerable passwords with cryptographic key pairs.
- Alternative 2FA Methods: We also support Time-Based One-Time Password (TOTP) applications. If using this option, we recommend standard apps like Google Authenticator or Microsoft Authenticator.
- Advanced Authentication: For workspaces with extremely sensitive information, it is possible to configure policies that require three-factor authentication or mandate the use of specific FIDO2/U2F USB security keys, which are verified by their unique identifiers.
Federated Login & Single Sign-On (SSO)
There is no open registration for the platform—access is by invitation only for Abyrint personnel and approved clients. We support two principal federated authentication methods under the OpenID Connect protocol:
Social Identity Providers: Users can log in with Google or Microsoft accounts. This accommodates users in environments where corporate email accounts are less common, such as fragile or developing regions.
Enterprise SSO: Workspaces can be configured for enterprise Single Sign-On. For example, users with @fcdo.gov.uk addresses can authenticate via the UK Government identity system. This follows standard OAuth/OpenID protocols.
For setup instructions and detailed configuration steps, please refer to the advanced documentation. To enable SSO functionality, contact your engagement partner to coordinate with your IT team.
Session Security
User authentication is protected using a combination of a JavaScript Web Token (JWT) and a secure, HttpOnly cookie that share a cryptographic relationship. The JWT is signed using the Ed25519 signature algorithm, a state-of-the-art, highly secure standard. To limit exposure, these tokens have a very short lifespan, measured in minutes.
Login sessions remain active for a maximum of 14 days, though this can be configured to a shorter interval by a workspace administrator. This limit is strictly enforced at the server level. Renewing a token requires an active and valid session.
For your security, you have granular control over your active sessions. From the user administration section, you can:
- Sign out of a specific session on a particular device (e.g., if you forgot to sign out from a public computer).
- Sign out of all active sessions at once.
Workspace administrators can sign out all users within their workspace, and the platform administrator can sign out all users across the entire service if necessary.
Password Security
Your password is encrypted in our database using the industry-gold-standard Argon2id hashing algorithm. This is a one-way process, meaning it is technically impossible for Abyrint personnel or any unauthorized party to access or recover your actual password. The application enforces a minimum password length of 12 characters, though we recommend using passphrases of 16 characters or more.
Roles and Permissions
Access to data is governed by a granular permissions system. Workspace administrators configure user roles and access rights. The system starts with a Role-Based Access Logic (RBAC), which can be further customized with specific rules to grant or deny read/edit rights to individual resources or sections.
Your Security Responsibilities
Security is a shared responsibility. The integrity of the platform relies on the security of the devices used to access it.
- Device and OS Security: Please ensure your computer, tablet, or mobile phone has the latest operating system updates and security patches installed.
- Browser Security: Always use an up-to-date, modern web browser. We recommend Safari for Apple users and the latest version of Chrome, Brave, Opera, or DuckDuckGo for other users.
- Browser Extensions: Be cautious of browser extensions, as they can sometimes compromise your security. As a matter of policy, Abyrint personnel are not permitted to use browser extensions on their work devices.
Data Storage Security
We implement multiple layers of encryption to protect your data when it is stored on our systems (“at rest”).
Full Disk Encryption
All data on the platform is stored within the secure infrastructure of Hetzner or Scaleway, as listed in our Privacy Policy. All disks we use for permanent data storage are encrypted at rest.
- Encryption Control: This encryption is controlled by Abyrint AS, not by the infrastructure provider or any other third party. This ensures protection against illegitimate physical access to the disks at runtime or if hardware is discarded.
- Technology: We use the Linux Unified Key Setup (LUKS) framework, which encrypts the entire operating system and data partitions. It uses a 512-byte key with an underlying
AES-XTScipher. There is no publicly documented method for breaching this type of encryption, which is generally considered to provide strong resistance against future post-quantum attacks.
Individual File Encryption
In addition to full disk encryption, individual files and data blobs are encrypted separately before being stored.
- Algorithm: We use AES-GCM with a 256-bit key. This is a highly secure, authenticated encryption algorithm.
- Key Management: Abyrint manages the encryption keys for this process. This does not apply to data that is end-to-end encrypted, for which only the end-users hold the keys.
End-to-End Encryption (E2EE)
For the highest level of confidentiality, certain platform features utilize end-to-end encryption. The Workspace Secrets application is always end-to-end encrypted, and E2EE can be enabled for data from the Field Data Collection App. When E2EE is active, data is encrypted on your device, and only authorized workspace members hold the keys. This ensures that it is not technically possible for Abyrint to decrypt the content of your E2EE data.
Network Security
All data transmitted between your device and our platform is encrypted to prevent eavesdropping or interception.
Encryption in Transit
We utilize Transport Layer Security (TLS 1.2 and higher) for all network traffic. Our encryption approach is two-fold:
- The static application shell (the user interface) is loaded securely from a global content delivery network with SSL certificates issued by Cloudflare, Inc.
- All communication containing your data travels through a direct, encrypted tunnel from the application to our managed edge servers. The SSL certificates for this data tunnel are issued by Buypass AS, a trusted Certificate Authority based in Oslo, Norway.
Internal Network
Our edge servers are located in Germany and operated by Hetzner. All further traffic from these servers into our core backend systems is encrypted within a Virtual Private Network (VPN) using WireGuard®. The encryption keys for this internal network are generated by and solely available to Abyrint, ensuring that all internal service-to-service communication is secure and isolated.
Database Backup Security
All backups of databases remain within the secure infrastructure described above. Database backups are individually encrypted using AES-GCM with a 256-bit key, with encryption keys exclusively controlled by Abyrint AS. Backups are rotated on a regular schedule. If sensitive data is deleted from a database, it may persist in backups for a limited period, but all backup snapshots are eventually rotated out and permanently and irrevocably deleted.
Server Application Security
All server applications are fully controlled and maintained by Abyrint AS; we do not rely on any third‑party hosting or runtime services. Our backend services are written in Go, a modern, statically compiled language that produces minimal, self‑contained binaries. These static binaries reduce the attack surface and prevent runtime tampering, and each release is verified via a hash signature.
We develop nearly all code in‑house or under strict Abyrint control, using only the Go core standard library with minimal external dependencies. This approach leverages Go’s security benefits—strong typing, memory safety, and static compilation—while minimizing supply‑chain risk.
Our front‑end applications are developed in TypeScript and compiled to JavaScript, with a minimal set of dependencies. All front‑end code is also maintained in‑house, further reducing exposure to third‑party vulnerabilities and ensuring robust supply‑chain integrity.
Database Application Security
Databases run as applications on our secure infrastructure. We use only SQL‑compliant databases, predominantly PostgreSQL or SQLite, leveraging industry‑grade distributions. Abyrint AS fully manages the installation, configuration, operation, persistence, and backup processes for all database software, ensuring consistent security and availability standards.
Any direct or manual access to the databases is not possible. Databases are accessible only over the internal WireGuard network between servers. The platform API serves as the sole gatekeeper for all database interactions, ensuring strict access control and auditing. All database queries are paramaterized and entierly controlled by the API. Access to databases over public internet is not possible.
Server Core Security
All servers run on Linux operating systems, using enterprise-stable versions installed manually from cryptographically signed Linux distributions. We minimize the server footprint by trimming the operating system to essential components only. A standardized, programmatic configuration process enforces hundreds of security-related configurations automatically, reducing the risk of manual errors or misconfigurations.
Logging & Monitoring
The platform maintains logging at both server and application levels to track errors, performance issues, and potential abuse attempts. These logs generally do not store personal information, except in cases of presumed illegitimate access—such as high-frequency login attempts or repeated failed access attempts.
Rate & IP limits
Automated rate‑limiting protocols are in place to mitigate abuse, limiting the number of requests per IP address or user within a specified timeframe. If required, these controls can be further restricted to accept traffic only from approved IP address ranges.
Physical & Facility Security
Application data is stored exclusively in industry-grade data centers operated by Hetzner and Scaleway. Abyrint does not retain any application data in its offices. These providers enforce robust physical security measures, including controlled access points, logging of entry and exit events, continuous CCTV surveillance, fire suppression systems, uninterruptible power supplies (UPS), and environmental monitoring for temperature and humidity. Data backups are also geographically replicated across these facilities to ensure resilience and continuity.
Root & Key Access Control
Access to root data, encryption keys, server applications, and binary distributions is extremely limited. Only a few select Abyrint personnel have these privileges. Access is further restricted by requiring authorized devices, hardware security keys (e.g., YubiKeys), and/or biometric authentication. Support personnel do not have access to user data beyond minimal account information. External consultants and non‑authorized staff are explicitly prevented from accessing any application or customer data.
Recovery Procedures
Abyrint maintains documented internal recovery procedures for events such as data loss or facility disruption. These procedures are regularly tested and largely automated to ensure rapid and reliable restoration of operations and data availability.