Security engineered for national-scale deployments.
FlyttGo platforms are built for regulated enterprise and public-sector workloads — tenant-isolated, continuously monitored and independently audited. This page summarizes our program; full documentation is shared under NDA.
Tenant isolation
Every deployment runs in a dedicated schema with tenant-scoped encryption keys, row-level security policies and API-gateway-enforced RBAC. Sovereign deployments can be fully air-gapped from public networks.
Cryptography
TLS 1.3 in transit, AES-256 at rest, envelope encryption with customer-held master keys on supported deployment modes. HSM-backed key storage for payment and identity modules.
Continuous monitoring
Centralized logging, real-time anomaly detection, tamper-evident audit trails. 24/7 SOC coverage on managed deployments; runbook handover to customer SOC for customer-cloud and sovereign tenants.
Compliance posture
Engineered against SOC 2 Type II, ISO 27001, GDPR and WCAG 2.1 AA. Regulated modules add PSD2, eIDAS and PCI-DSS controls as required per jurisdiction.
Supply chain
Signed builds, SBOM attestation, dependency pinning and automated vulnerability scanning on every merge. Third-party libraries reviewed on security advisories within one business day for critical severity.
Incident response
Severity classification, 24/7 on-call rotation, customer notification within contractual windows. Post-mortems are shared with enterprise customers through the deployment portal.
Trust that's independently verifiable.
Every claim on this page is anchored to a cryptographic artefact a third party can verify without contacting us. SBOMs ship per release, container images carry Sigstore signatures, and the public audit trail records every platform-level change.
- TS.01
Software Bill of Materials
CycloneDX 1.5 SBOM published per release. Lists every direct and transitive dependency with version, license, hash, and vulnerability status. Diff against the previous release is included.
sbom.cyclonedx.json · sha256:7e3f… - TS.02
Sigstore-signed release artefacts
Container images and binary releases signed with Sigstore (cosign). Verification key chain rooted in the Sigstore Public Good transparency log; no FlyttGo-held private keys to compromise.
cosign verify ghcr.io/flyttgo/... - TS.03
Reproducible builds
Every published artefact rebuildable from a public source revision into a byte-identical output. Build environment pinned via Nix flake; build-info JSON shipped alongside each release.
build-provenance · SLSA level 3 target - TS.04
Append-only platform audit trail
Every platform-level change (deployment, schema migration, role grant) is captured to an append-only audit_log with full before/after JSONB snapshots. UPDATE and DELETE blocked at the trigger layer.
public.audit_log · per-row hash chain (planned)
Verification commands and per-release SBOM links land on the developer portal. Customers under MSA receive direct links to the SBOM, SLSA provenance, and the cosign verify key chain alongside each release notification.
Coordinated disclosure
Report vulnerabilities to security@flyttgotech.com. We acknowledge within one business day, target remediation within a severity-based SLA and credit external researchers on request.
SOC 2 / ISO 27001 reports
Full audit reports, pen-test summaries and architecture diagrams are shared with enterprise and public-sector customers under NDA. Request documentation.