Security

How echotest protects your data and simulations

Authentication

• Bcrypt password hashing with 12 rounds
• Strong password policy: 12+ characters, mixed case, digits, and symbols
• httpOnly, Secure, SameSite session cookies (no tokens in localStorage)
• Email verification required before running simulations
• Account lockout after 5 failed login attempts (15-minute cooldown)
• Login rate limiting: 10 attempts per minute per IP
• Google OAuth SSO support

Data Protection

• TLS 1.2+ encryption for all data in transit
• Azure-managed encryption at rest for all databases
• API keys hashed with SHA-256 before storage (never retrievable)
• Stripe PCI DSS Level 1 compliant payment processing
• Azure Key Vault for all production secrets

Access Control

• Organization-scoped data isolation — users cannot access other orgs' data
• Role-based team access: Owner, Admin, Editor, Viewer
• Three-tier admin system: Superadmin, Support, Billing
• All admin actions audit-logged with IP address and user agent

Infrastructure

• Hosted on Azure Container Apps (East US 2 region)
• Azure Database for PostgreSQL with automated backups
• Non-root container images with multi-stage builds
• Security headers: HSTS, X-Frame-Options DENY, Content-Type nosniff
• CSRF protection via httpOnly cookies + SameSite policy

AI Processing

• Azure OpenAI — your data is NOT used to train models
• Inputs and outputs are not stored by Microsoft beyond the API lifecycle
• No simulation data leaves the Azure cloud boundary
• Content screening on all simulation inputs (safety filter)

Reporting a Vulnerability

If you discover a security vulnerability, please report it to security@echotest.ai. We take all reports seriously and will respond within 48 hours.