Security

Security-by-design, reported without inflation

Devory's security posture is still developing alongside the product. This page separates what is implemented today from what is actively being built and what remains a future objective. Devory does not claim SOC 2, ISO 27001, PCI DSS or any other certification unless it has genuinely been obtained.

Existing controls

  • Authorization is policy-governed and deny-by-default: access must be explicitly granted, not implicitly assumed.
  • Role separation exists between personal and organisation-scoped identities.
  • Secrets and credentials are never embedded in client-facing frontend code.
  • Software components carry integrity verification so tampering with a package can be detected.
  • Execution is currently restricted to trusted, vetted components only — there is no untrusted or arbitrary code execution path.

Controls under development

  • Encryption at rest for locally stored secrets is being designed and is not yet complete.
  • Tenant and organisation data isolation at the storage layer is being scoped before it is wired into live cloud infrastructure.
  • Automated security scanning and reporting tooling is under active development.
  • Sandboxed execution of untrusted or third-party components is not yet implemented.

Future compliance objectives

  • Devory intends to evaluate formal compliance frameworks (such as SOC 2) once the platform and its operating processes are mature enough to support them.
  • Devory intends to publish a dedicated responsible-disclosure process as the security program matures.

Reporting a vulnerability

Devory does not yet publish a dedicated, monitored security mailbox. Use the contact form and select the Security category so your report reaches the right people, or email dev@devory.app directly with “Security” in the subject line.