Security
How Jallarhorn™ is built. What is enforced in code today, and what we do not yet claim. We list gaps with the same weight as strengths, because "not yet" is the honest answer more often than any security page admits.
Authentication
JWT HS256 sessions with a 256-bit signing secret. Tokens are delivered in httpOnly, Secure, SameSite=Lax cookies — not in local storage. Passwords are hashed with bcrypt at a current cost factor. API keys are compared in constant time to defeat timing side-channels.
Transport
TLS on every public endpoint. HSTS with a 1-year max-age, includeSubDomains, and preload submitted. Modern cipher suites only; no TLS 1.0/1.1. Farm-to-control links use mutual TLS.
Data at rest
All persistent data lives on encrypted VPS disks. Database credentials are scoped per service. Metric data is tenant-scoped in every query path; cross-tenant access returns 9999 forbidden at the stored-procedure layer, not just in the route handler.
API keys
Only the SHA-256 hash of an API key is stored server-side. The plaintext is shown exactly once, at creation. Keys are scoped to a tenant and a set of permissions, and they are revocable from the UI and the API. Hash comparison is timing-safe.
Supply chain
Every tagged release is signed with cosign in keyless mode via GitHub OIDC. SPDX SBOMs are produced by syft and attached to the release. Verification instructions are in the install docs. We also publish container images under the same signature scheme.
SSO (Business and up)
LDAP with group-to-role mapping. SAML tested against Entra ID, Okta, and Google Workspace with six-claim attribute mapping. OIDC for any compliant provider. No SAML-is-an-upsell pricing — SSO is in the $79/mo Business tier.
Audit logs
Authentication events, configuration changes, and admin actions are written to an audit table. Append-only checksum-chained storage is on the roadmap Q3 2026. Operators can export the audit log on demand via the REST API.
Rate limiting
Per-tenant and per-IP token buckets on the auth routes and on the write paths. Login throttling with exponential back-off on failure. Notification dispatch has its own quota to prevent runaway alert loops.
Invite-only registration
Hosted Jallarhorn does not offer open signup at the tenant level. Tenants are provisioned at purchase; users are invited by an admin with a scoped role and an expiring invite token. Self-hosted installs follow the same pattern by default.
What we do not yet have
We would rather be honest about gaps than market around them.
- No SOC 2 attestation. We have not run a SOC 2 Type II audit. We also have not started a gap analysis with Vanta or Drata. If your procurement requires SOC 2, Jallarhorn does not meet that bar today.
- No HIPAA BAA. Trellis Digital Services LLC does not sign Business Associate Agreements. Jallarhorn is not a HIPAA-compliant offering. Self-host if you need ePHI isolation.
- No completed third-party penetration test report. Internal review and dependency scanning happen on every release; a public pentest attestation is on the roadmap but unscheduled.
- No append-only audit log yet. Audit rows are in a regular relational table. Checksum-chained append-only storage is tracked as a Q3 2026 item.
- No scale benchmark. We have not published a 5,000-sensor or 100,000-device load test. Claims you see elsewhere in the space are usually unverified; ours will be published with the workload and hardware specification when they are measured.
Open-source components
Jallarhorn stands on a long list of open-source projects. The table below lists every direct runtime dependency with its license. A full SPDX SBOM is published for every tagged release and attached to the GitHub release artifacts (run syft against the Jallarhorn Docker image if you need to verify the claim yourself). Transitive dependencies are covered by the same SBOM.
| Component | Role | License |
|---|---|---|
| PostgreSQL 16 | Primary store for accounts, alerts, devices, config | PostgreSQL (permissive) |
| TimescaleDB Community | Time-series hypertables for metrics | Apache 2.0 (Community Edition) |
| NATS + JetStream | Sensor-to-control event queue, durable consumers | Apache 2.0 |
| Standard runtime | All three executables (control, sensor, farm) ship as single static binaries | BSD-3-Clause |
| Gin | HTTP router inside jallarhorn-control | MIT |
| pgx/v5 | PostgreSQL driver | MIT |
| bbolt | Embedded key-value store for sensor WAL | MIT |
| Payment processor SDK | Billing integration | MIT |
| SAML, OIDC, LDAP libraries | SSO providers (SAML, OIDC, LDAP) | BSD-2-Clause / Apache 2.0 / MIT |
| gosnmp, gopacket, pro-bing | SNMP, packet capture, ICMP | BSD-3-Clause / MIT |
| gofpdf | SLA PDF report generation | MIT |
| cosign + syft | Release signing and SBOM generation | Apache 2.0 |
| React 18 + TypeScript | Dashboard SPA | MIT |
| Vite | Dashboard build tool | MIT |
| recharts, @xyflow/react, leaflet | Charts, topology graphs, maps in the Dashboard | MIT |
| Lucide | Icon set (the only icon library Jallarhorn uses) | ISC |
| Inter, Space Grotesk | Typography (via Google Fonts) | SIL Open Font License 1.1 |
A corrected or amended list can be requested via support@jallarhorn.com.
Report a vulnerability
Email support@jallarhorn.com. We acknowledge within one business day, set a disclosure timeline with you, and credit you in the release notes if you want the credit. GPG key: TBD — on request until published here.