Security at Musher
Security is built into the architecture — encryption, isolation, and integrity verification at every layer. Not bolted on after the fact.
SOC 2 Type II — In Progress GDPR CCPA
How we protect your data
Specific controls, not vague promises.
Data Protection
- AES-256 encryption at rest via managed cloud KMS
- TLS 1.3 enforced on all endpoints
- Row-level tenant isolation at the database layer
- Encrypted backups with 30-day point-in-time recovery
Infrastructure
- Hosted on AWS (us-east-1) with network isolation
- PostgreSQL with automated daily backups
- OCI-compliant container registry for bundle storage
- DDoS protection and rate limiting at the edge
Access & Identity
- Role-based access control (RBAC) per workspace
- Scoped API keys with granular permissions
- Organization-level workspace isolation
- Full audit logging of all API operations
Application Security
- OCI content signing with ECDSA P-256 keys
- Bundle integrity verification on every install
- Configurable trust policies per organization
- Input validation at every API boundary
Operational Security
- Automated monitoring and alerting
- Incident response procedures with defined escalation
- Automated dependency scanning and updates
- Public status page at status.musher.dev
Security practices
Development
- — All code changes require peer review before merge
- — Automated CI/CD pipeline with linting, type checking, and test suites
- — Dependency vulnerability scanning on every pull request
- — Infrastructure-as-code with version-controlled deployments
Vulnerability Management
- — Responsible disclosure program — see contact below
- — Critical vulnerabilities patched within 24 hours
- — High-severity issues resolved within 7 days
- — Automated alerts for newly disclosed CVEs in dependencies
Responsible Disclosure
Found a vulnerability? We welcome responsible disclosure. Report security issues directly and we will acknowledge receipt within 48 hours.
[email protected]Last updated: March 2026