Security

Security at Citai

How we protect your data, privacy, and knowledge integrity.

Multi-Tenant Isolation

Each organization operates in a fully isolated environment.

  • Vector embeddings are stored with a mandatory tenant_id on every row

Encryption & Hashing

Sensitive data protected with industry standards.

API keys hashed with SHA-256 — shown only once upon creation

Authentication & Sessions

Robust JWT system with automatic rotation.

  • Refresh tokens last 7 days with automatic rotation

Infrastructure

Production stack with multiple layers of protection.

  • Redis for rate limiting with sliding window (sorted sets)

Role-Based Access Control

Two access levels with granular permissions.

RoleScope
tenant_adminKBs, documents, FAQs, members, config, analytics for their tenant
memberChat, queries to assigned KBs, personal settings

2FA & OAuth

Multi-factor authentication and social login to safeguard account access.

  • QR code generation for quick setup

Security Headers & Observability

Hardened HTTP headers and proactive error monitoring.

  • X-Frame-Options for clickjacking protection

GDPR & Data Compliance

Built-in tools for data protection regulation compliance.

  • Account deletion (GDPR Art. 17) — soft delete with password confirmation

Audit Trail

Full traceability of critical actions across the platform.

  • Configurable retention period (in days)

Content Moderation

Granular control over what content the system can generate and display.

  • REDIRECT rules: redirect queries to predefined answers

Data Isolation (Advanced)

Strict separation between platform metadata and tenant content.

  • All queries scoped by tenant_id (no bypass)

Webhook Security

External integrations protected with cryptographic signing and guaranteed delivery.

  • Automatic retry with exponential backoff (3 retries: 1s, 5s, 30s)

Per-Operation Rate Limiting

Specific limits per operation type to prevent abuse and brute-force attacks.

  • Registration: max 5 accounts per hour per IP

Responsible Disclosure

If you find a security vulnerability, please contact us at [email protected]. We commit to responding within 48 hours and working with you to resolve the issue.

[email protected]