Security
How Jallarhorn™ is built. What is enforced in code today, and what we do not yet claim. We list gaps with the same weight as strengths, because "not yet" is the honest answer more often than any security page admits.
Authentication
JWT HS256 sessions with a 256-bit signing secret. On sign-in the token is set in an httpOnly, Secure, SameSite cookie; the single-page app also keeps a copy in localStorage for XHR Authorization headers (moving to cookie-only is on our hardening list). Passwords are hashed with bcrypt at a current cost factor. The shared-secret ingest path uses constant-time comparison; per-sensor API keys are stored only as SHA-256 hashes and matched by hash.
Transport
TLS on every public endpoint, terminated by Caddy with automatic certificate management. HSTS with a 1-year max-age, includeSubDomains, and the preload directive set. Modern cipher suites only; no TLS 1.0/1.1. Farm-to-control links authenticate with a shared secret over TLS; mutual-TLS client certificates are on the roadmap.
Data at rest
All persistent data lives on encrypted VPS disks. Database credentials are scoped per service. Metric data is tenant-scoped in every query path; cross-tenant access returns 9999 forbidden at the stored-procedure layer, not just in the route handler.
API keys
Only the SHA-256 hash of an API key is stored server-side. The plaintext is shown exactly once, at creation. Keys are scoped to a tenant and a set of permissions, and they are revocable from the UI and the API. Lookups are by hash; the plaintext key never touches the database.
Supply chain
Every release artifact is signed with cosign using our release key (key-based, not a third-party transparency log); the public key is at jallarhorn.com/cosign.pub. SPDX SBOMs are produced by syft and published next to each artifact. Verification instructions are in the download docs. Container images on jallarhorn.com are signed with the same key.
SSO — every plan
LDAP with group-to-role mapping. SAML tested against Entra ID, Okta, and Google Workspace with six-claim attribute mapping. OIDC for any compliant provider. No SAML-is-an-upsell pricing — SSO is included on every plan, Free included.
Audit logs
Authentication events, configuration changes, and admin actions are written to an audit table. Append-only checksum-chained storage is on the roadmap. Operators can export the audit log on demand via the REST API.
Rate limiting
Per-tenant and per-IP token buckets on the auth routes and on the write paths. Login throttling with exponential back-off on failure. Notification dispatch has its own quota to prevent runaway alert loops.
Invite-only registration
Hosted Jallarhorn does not offer open signup at the tenant level. Tenants are provisioned at purchase; users are invited by an admin with a scoped role and an expiring invite token. Self-hosted installs follow the same pattern by default.
What we do not yet have
We would rather be honest about gaps than market around them.
- No SOC 2 attestation. We have not run a SOC 2 Type II audit. We also have not started a gap analysis with Vanta or Drata. If your procurement requires SOC 2, Jallarhorn does not meet that bar today.
- No HIPAA BAA. Trellis Digital Services LLC does not sign Business Associate Agreements. Jallarhorn is not a HIPAA-compliant offering. Self-host if you need ePHI isolation.
- No completed third-party penetration test report. Internal review and dependency scanning happen on every release; a public pentest attestation is on the roadmap but unscheduled.
- No append-only audit log yet. Audit rows are in a regular relational table. Checksum-chained append-only storage is tracked as a Q3 2026 item.
- No scale benchmark. We have not published a 5,000-sensor or 100,000-device load test. Claims you see elsewhere in the space are usually unverified; ours will be published with the workload and hardware specification when they are measured.
Open-source components
Jallarhorn stands on a long list of open-source projects. The table below lists every direct runtime dependency with its license. A full SPDX SBOM is published for every tagged release and attached to the GitHub release artifacts (run syft against the Jallarhorn Docker image if you need to verify the claim yourself). Transitive dependencies are covered by the same SBOM.
| Component | Role | License |
|---|---|---|
| PostgreSQL 16 | Primary store for accounts, alerts, devices, config | PostgreSQL (permissive) |
| TimescaleDB Community | Time-series hypertables for metrics | Apache 2.0 (Community Edition) |
| NATS + JetStream | Sensor-to-control event queue, durable consumers | Apache 2.0 |
| Standard runtime | All three executables (control, sensor, farm) ship as single static binaries | BSD-3-Clause |
| Gin | HTTP router inside jallarhorn-control | MIT |
| pgx/v5 | PostgreSQL driver | MIT |
| bbolt | Embedded key-value store for sensor WAL | MIT |
| Payment processor SDK | Billing integration | MIT |
| SAML, OIDC, LDAP libraries | SSO providers (SAML, OIDC, LDAP) | BSD-2-Clause / Apache 2.0 / MIT |
| gosnmp, gopacket, pro-bing | SNMP, packet capture, ICMP | BSD-3-Clause / MIT |
| gofpdf | SLA PDF report generation | MIT |
| cosign + syft | Release signing and SBOM generation | Apache 2.0 |
| React 18 + TypeScript | Dashboard SPA | MIT |
| Vite | Dashboard build tool | MIT |
| recharts, @xyflow/react, leaflet | Charts, topology graphs, maps in the Dashboard | MIT |
| Lucide | Icon set (the only icon library Jallarhorn uses) | ISC |
| Inter, Space Grotesk | Typography (via Google Fonts) | SIL Open Font License 1.1 |
A corrected or amended list can be requested via support@jallarhorn.com.
Report a vulnerability
Email support@jallarhorn.com. We acknowledge within one business day, set a disclosure timeline with you, and credit you in the release notes if you want the credit.