Security and data handling
Least privilege, role-based access, audit logs, encrypted data and no visible secrets.
Last updated 4/1/2026
SOCPilot is designed to be deployable inside security-conscious organizations.
Access model
- Roles enforced at the database (row-level security), not in client code
- Roles never live on user objects — they live in a dedicated user_roles table
- Owner / Admin / SOC Lead / Analyst / Viewer / Auditor
Data handling
- TLS 1.3 in transit, AES-256 at rest, per-tenant key separation
- Customer-controlled retention windows per data class
- Hard-delete on schedule for purged records
- Right-to-be-forgotten honored end-to-end
Secrets
- Integration credentials are never displayed in plain text after creation
- API keys are shown once at generation and stored as hash + prefix only
- Webhook secrets are write-only after creation
Audit
- Every approval, edit, export and integration change is recorded with actor, action, target and timestamp
- The audit log is searchable, filterable and exportable
Related articles
- Read-only investigation mode
Recommended for initial deployment — SOCPilot can investigate without write access to any connected tool.
- Roles and permissions
Owner, admin, SOC lead, analyst, viewer and auditor — enforced at the database.
- API and webhooks
Scoped API keys, signed webhooks and a delivery history for debugging.