Security
Security-by-design, reported without inflation
Devory's security posture is still developing alongside the product. This page separates what is implemented today from what is actively being built and what remains a future objective. Devory does not claim SOC 2, ISO 27001, PCI DSS or any other certification unless it has genuinely been obtained.
Existing controls
- Authorization is policy-governed and deny-by-default: access must be explicitly granted, not implicitly assumed.
- Role separation exists between personal and organisation-scoped identities.
- Secrets and credentials are never embedded in client-facing frontend code.
- Software components carry integrity verification so tampering with a package can be detected.
- Execution is currently restricted to trusted, vetted components only — there is no untrusted or arbitrary code execution path.
Controls under development
- Encryption at rest for locally stored secrets is being designed and is not yet complete.
- Tenant and organisation data isolation at the storage layer is being scoped before it is wired into live cloud infrastructure.
- Automated security scanning and reporting tooling is under active development.
- Sandboxed execution of untrusted or third-party components is not yet implemented.
Future compliance objectives
- Devory intends to evaluate formal compliance frameworks (such as SOC 2) once the platform and its operating processes are mature enough to support them.
- Devory intends to publish a dedicated responsible-disclosure process as the security program matures.