6-Layer Defense

Complete defense in depth = every layer assumes the layer above may have been breached.

┌──────────────────────────────────────────────┐
│  6. Compliance  MLPS · GDPR · ISO 27001       │
├──────────────────────────────────────────────┤
│  5. Audit       Tamper-proof operation logs    │
├──────────────────────────────────────────────┤
│  4. Data        At-rest · field-level encryption │
├──────────────────────────────────────────────┤
│  3. Access      RBAC + ACL                     │
├──────────────────────────────────────────────┤
│  2. Auth        SSO + email + strong password  │
├──────────────────────────────────────────────┤
│  1. Network     HTTPS / TLS · DDoS             │
└──────────────────────────────────────────────┘

Layer 1 · Network

Control	Implementation
HTTPS / TLS 1.3	Mandatory encryption for external traffic; only TLS 1.2+, legacy disabled
HSTS	`Strict-Transport-Security: max-age=31536000`
CDN / DDoS	Provided by Evose for SaaS; for Private, integrate corp WAF / Cloudflare
IP allowlist	Optional for the admin console, restrict ops entry
Network segmentation	Private: K8s NetworkPolicy isolates namespaces; DB internal-only ACLs

Layer 2 · Authentication

Control	Implementation
SSO	OAuth 2.0 (supported); LDAP / AD / SAML / MFA (planned)
Email + password	bcrypt hash · password strength · failure lockout
Session management	JWT + Refresh Token · configurable max concurrent devices
API Key (outbound)	Platform-level / workspace-level · revocable · rate-limited

Layer 3 · Access

Control	Implementation
RBAC	Role → system / workspace permissions
ACL	4-level resource permissions (view / use / edit / manage)
Resource policy	Cross-workspace global rules complementing RBAC + ACL
Workspace isolation	Data / resource / observability — fully isolated by default
Least privilege	Default deny; explicit grants

→ Roles · Resource policy

Layer 4 · Data

Control	Implementation
At rest	AES-256 full-table DB encryption (Private may use TDE)
Field-level	Independent keys for credentials / sensitive fields
In transit	End-to-end TLS 1.3; mTLS between internal services (recommended on K8s)
Key management	Master key (`SECRET_KEY`) stored carefully; external KMS support (planned)
Data isolation	Workspace-level logical (SaaS) / physical (full-stack Private)

→ Data isolation in detail

Layer 5 · Audit

Control	Implementation
Operation log	All writes / sensitive reads / permission changes
Tamper-proof	Write-once read-only; replicate to external SIEM
Retention	Default 90 days, extendable to 7 years for compliance
Traceability	Who / when / what / which resources affected

→ Desktop audit events

Layer 6 · Compliance

Standard	Status
MLPS (China's Multi-Level Protection Scheme)	Level 2 ✓ · Level 3 ✓
GDPR (EU)	✓
ISO 27001	✓
HIPAA (U.S. healthcare)	Achievable under Private with proper setup
SOC 2 Type II	Roadmap

→ Compliance checklist

Penetration Testing

Third-party penetration testing: at least annually
Vulnerability disclosure: security@evose.ai (private)
Response SLA: Critical 24h · High 72h · Medium 7d

Security Update Flow

Vulnerability discovered → severity assessment → internal fix → security advisory → patch push:

Severity	Push
Critical (RCE / data leak)	Emergency patch within 24-48h
High	Regular release within 1 week
Medium / Low	Next regular release

Next Steps

Data isolation → Data isolation & encryption
Compliance checklist → Compliance

6-Layer Defense

On this page