Encryption in transit
TLS 1.2+ everywhere. Render enforces HTTPS.
Security disclosure
Our security posture
Government contractors handle CUI, NDAs, and pricing data. Our security posture is enterprise-grade from day one — because federal contractors have to be.
Encryption at rest
Postgres + Redis encrypted on Render. Field-level Fernet encryption on PII (EIN, contact details, Stripe IDs).
Identity + MFA
Auth0 OIDC with JWKS-verified ID tokens. MFA required on Pro and Agency tiers.
Audit log
Every login, billing event, data export, and agent action logged with structured JSON for SIEM ingestion.
Rate limiting
Per-IP per-bucket sliding-window Redis limiter. Aggressive throttling on freemium endpoints.
CSP + headers
Strict CSP with per-request nonce, HSTS preload, X-Frame DENY, Permissions-Policy zero.
Stripe webhook security
Every webhook signature verified against STRIPE_WEBHOOK_SECRET. Unsigned events rejected.
Disclosure policy
security@agora-virtual.com · 90-day fix SLA · safe harbor for good-faith research
Report a vulnerability
Send a detailed report to security@agora-virtual.com. We acknowledge within 1 business day, triage within 3, and credit you in the release notes once we ship the fix.