PILOTVL
Pilot
Home Docs Changelog Blog

Security Practices

How VerbosLabs secures the Pilot platform and your data.

🔒
Encryption in Transit
All traffic over TLS 1.2+. Certificates issued by Let's Encrypt with automated renewal. HSTS enforced with preloading.
🔑
Authentication
Bcrypt password hashing (cost 12), TOTP 2FA support, session tokens with 8-hour expiry and IP-binding, rate-limited login with account lockout.
📋
Full Audit Log
Every action logged with timestamp, username, IP address, and user agent. Retained 12 months. Immutable by design.
🛡
Webhook Verification
HMAC-SHA256 signature verification on all inbound webhooks when secrets are configured. Unsigned webhooks can be rejected via config.
⚡
Rate Limiting
Login endpoint rate-limited at the middleware layer. Account lockout after 5 failed attempts. Additional IP-level protection via Cloudflare WAF.
🧱
Role-Based Access
Four roles: admin, analyst, viewer, msp_admin. Least-privilege by default. All response actions require analyst or higher. All approvals are logged.
📝
Input Sanitization
All user-supplied inputs are sanitized before storage. Parameterized queries throughout. Security headers (CSP, X-Frame-Options, HSTS) on every response.
🔄
Approval Workflow
All bidirectional response actions (endpoint isolation, user disable, IP block) require explicit analyst approval before execution. Full audit trail.

Infrastructure

Hosting

Pilot is hosted on dedicated infrastructure in the United States. We use managed services from major cloud providers under data processing agreements that prohibit secondary use of customer data.

Backups

Database backups run daily and are retained for 30 days. Backups are encrypted at rest. Recovery point objective (RPO) is 24 hours; recovery time objective (RTO) is 4 hours for critical failures.

Dependency management

Dependencies are pinned and reviewed for known vulnerabilities before updates are applied. We monitor security advisories for all runtime dependencies.

SOC 2 Readiness

SOC 2 Type II — Controls in progress · Certification expected Q3 2026

Pilot is designed with SOC 2 Trust Service Criteria (Security, Availability, Confidentiality) in mind. Formal audit is underway. Contact us at [email protected] to request our current security questionnaire or trust report.

Vulnerability Disclosure

We take security reports seriously. If you've found a vulnerability in Pilot, we want to hear from you. Please review our responsible disclosure policy before reporting.

Found a security issue? Report it confidentially to our security team. We will acknowledge within 48 hours and aim to resolve critical issues within 7 days.

View Disclosure Policy
Privacy Terms Security Disclosure