Security

Uru implements security best practices throughout the platform to protect your business data and operations.

Encryption

• Data in Transit: HTTPS/TLS encryption for all data transmission
• API Keys: AES-256-GCM authenticated encryption for stored API keys
• Password Storage: Bcrypt hashing for user passwords
• Database Security: Supabase PostgreSQL with built-in encryption

Data Isolation

• Multi-tenancy: Complete workspace-based data isolation
• Row-Level Security: PostgreSQL RLS policies enforce workspace boundaries
• Workspace Isolation: All data queries automatically filtered by workspace context

Authentication Methods

• JWT Tokens: Short-lived access tokens (1 hour) with workspace-specific claims
• Refresh Tokens: Secure refresh token rotation with 30-day expiry
• API Keys: User-generated API keys with scoped permissions for external access
• Session Management: Device tracking and IP logging for security monitoring
• Token Blacklisting: Immediate token revocation capability

Access Controls

• Role-Based Access: Workspace member roles (owner, admin, member)
• Workspace Isolation: Users only access their authorized workspaces
• Integration Management: OAuth connections managed via Composio SDK
• Activity Logging: Comprehensive audit logs for authentication and actions

Platform Infrastructure

• Database: Supabase PostgreSQL with managed security and backups
• Containerization: Docker-based microservices architecture
• Service Separation: Frontend, backend, and MCP proxy as isolated services
• Environment Isolation: Separate development and production environments

Application Security

• Input Validation: Server-side validation for all user inputs
• CORS Configuration: Controlled cross-origin resource sharing
• Rate Limiting: API rate limiting to prevent abuse
• Security Headers: HTTP security headers for browser protection

Activity Monitoring

• Activity Logs: Comprehensive logging of user actions and system events
• Authentication Tracking: Login attempts, session creation, and token usage
• Integration Activity: Third-party integration connections and disconnections
• Tool Execution Logs: Records of all tool calls and API interactions

Data Privacy

• Data Minimization: We only collect data necessary for service delivery
• User Control: Users can export and delete their data
• Third-Party Integrations: OAuth tokens managed securely via Composio
• Transparent Practices: Clear privacy policy and data handling practices

Database Backups

• Managed Backups: Supabase provides automated database backups
• Point-in-Time Recovery: Database restoration capabilities
• Data Retention: Backup retention policies for data recovery

Reporting Security Issues

If you discover a security vulnerability, please report it to our team:

• Email us at support@uruenterprises.com with details
• Include steps to reproduce the issue if possible
• We will respond promptly to investigate and address the concern