Platform Security

Security is built into the core architecture of SwiftCloud. We employ industry-leading practices to protect your data, infrastructure, and privacy.

Security at a Glance

  • ✓ KVM hypervisor isolation
  • ✓ TLS 1.3 encryption in transit
  • ✓ AES-256 encryption at rest
  • ✓ Comprehensive audit logging
  • ✓ DDoS protection
  • ✓ Regular security audits

Tenant Isolation

We use Project-Based Isolation to ensure complete separation between customers and their resources.

Compute Isolation

  • KVM Hypervisors: Virtual Machines run on KVM (Kernel-based Virtual Machine), providing hardware-level isolation between workloads. Each VM has its own kernel, preventing cross-VM attacks.
  • Dedicated Resources: CPU and RAM are allocated exclusively to your VM. No noisy neighbors or resource contention.
  • Secure Boot: VMs support secure boot to prevent unauthorized firmware and bootloaders.

Network Isolation

  • Project Networks: Each project operates in an isolated network segment.
  • Firewall Rules: Configurable security groups control inbound and outbound traffic.
  • Private Networking: Resources within a project can communicate over private networks, isolated from the public internet.

Access Control

  • Role-Based Access: Four distinct roles (Owner, Admin, Member, Viewer) with granular permissions.
  • Project Isolation: Users can only access projects they've been explicitly added to.
  • API Key Scopes: API keys can be limited to specific operations (read-only, VM management, etc.).

Data Encryption

In Transit

  • TLS 1.3: All traffic between you and SwiftCloud is encrypted using TLS 1.3, the latest and most secure version.
  • HSTS: HTTP Strict Transport Security enforces HTTPS connections.
  • Perfect Forward Secrecy: Session keys are not compromised even if long-term keys are breached.
  • VNC Encryption: Console access uses encrypted WebSocket connections.

At Rest

  • Database Encryption: All database data is encrypted using AES-256.
  • Backup Encryption: Database backups and snapshots are encrypted before storage.
  • Secret Management: API keys, passwords, and tokens are hashed (bcrypt) or encrypted (AES-GCM).
  • VM Disk Encryption: Optional encrypted storage for sensitive workloads (coming soon).

Audit Logs

Every critical action on the platform is recorded in an immutable Audit Log for compliance and troubleshooting.

What We Log

  • Who: Which user performed the action (user ID, email)
  • What: The action type (e.g., VM_CREATED, BALANCE_DEDUCTED)
  • When: Precise timestamp with timezone
  • Where: IP address and user agent
  • Details: Additional context (resource ID, project ID, parameters)

Logged Actions

  • Authentication events (login, logout, failed attempts)
  • Resource operations (create, update, delete VMs, domains, databases)
  • Billing transactions (payments, balance changes, coupon redemptions)
  • Access control changes (adding/removing team members, role changes)
  • API key management (creation, revocation)
  • Security events (password changes, 2FA enablement)

Accessing Audit Logs

  • Admin Panel: Admins can view platform-wide audit logs
  • Project Settings: Project-level logs for team members
  • API Access: Retrieve logs programmatically via API (coming soon)
  • Retention: Logs are retained for 12 months

Infrastructure Security

Data Centers

  • Tier III+ Facilities: Our infrastructure partners operate Tier III+ data centers
  • Physical Security: 24/7 security, biometric access, CCTV monitoring
  • Redundancy: N+1 redundancy for power, cooling, and network
  • Compliance: SOC 2, ISO 27001 certified facilities

Network Security

  • DDoS Protection: Automatic DDoS mitigation up to 1Tbps
  • Firewall: Multi-layer firewall rules at network perimeter
  • Intrusion Detection: IDS/IPS systems monitor for suspicious activity
  • Rate Limiting: API rate limiting prevents abuse

Vulnerability Management

  • Regular Patching: Security patches applied within 48 hours of release
  • Vulnerability Scanning: Automated scans identify potential weaknesses
  • Penetration Testing: Annual third-party penetration tests
  • Bug Bounty: Responsible disclosure program for security researchers (coming soon)

Authentication & Authorization

Authentication Methods

  • Google OAuth: Enterprise-grade authentication via Google
  • Magic Links: Passwordless email authentication with time-limited tokens
  • API Keys: Bearer token authentication for API access
  • 2FA: Two-factor authentication support (coming soon)

Session Security

  • Secure Cookies: HTTP-only, Secure, SameSite cookies
  • Session Timeout: Automatic logout after 30 days of inactivity
  • Session Invalidation: Immediate invalidation on password change or logout
  • Device Management: View and revoke active sessions (coming soon)

Password Security

  • No Passwords Stored: We use passwordless authentication or OAuth
  • bcrypt Hashing: Any stored credentials use bcrypt with cost factor 12
  • Breach Detection: Integration with Have I Been Pwned API (coming soon)

Compliance & Certifications

Current Compliance

  • GDPR: Compliant with EU General Data Protection Regulation
  • Zambia Data Protection Act: Compliant with local data protection laws
  • PCI DSS: Payment processing via PCI-compliant providers (DPO, Lenco)

In Progress

  • SOC 2 Type II: Expected completion Q4 2026
  • ISO 27001: Certification process initiated

Incident Response

Our Process

  1. Detection: Automated monitoring and alerting systems
  2. Assessment: Security team evaluates severity and impact
  3. Containment: Isolate affected systems to prevent spread
  4. Eradication: Remove threat and patch vulnerabilities
  5. Recovery: Restore systems from clean backups
  6. Notification: Inform affected users within 72 hours
  7. Review: Post-incident analysis and process improvement

Breach Notification

In the event of a data breach affecting your personal information:

  • We will notify you via email within 72 hours
  • Notification includes nature of breach, data affected, and recommended actions
  • We provide credit monitoring services for significant breaches (if applicable)
  • Regulatory authorities are notified as required by law

Security Best Practices for Users

Account Security

  • Use strong, unique passwords for your email account
  • Enable 2FA on your Google account (when using OAuth)
  • Never share your magic link or API keys
  • Review active sessions regularly
  • Use a password manager

VM Security

  • Keep your VM operating system updated
  • Use SSH keys instead of passwords
  • Configure firewall rules to limit access
  • Regular backups of critical data
  • Monitor resource usage for anomalies

API Security

  • Use scoped API keys with minimum required permissions
  • Rotate API keys periodically
  • Never commit API keys to version control
  • Use environment variables for key storage
  • Monitor API usage for unusual activity

Reporting Security Issues

If you discover a security vulnerability:

  1. Do NOT disclose publicly until we've had time to respond
  2. Email: security@osystems.africa
  3. Include: Description, reproduction steps, potential impact
  4. We respond within 48 hours with acknowledgment
  5. We provide updates every 7 days until resolution

We appreciate responsible disclosure and will credit researchers in our security hall of fame (coming soon).

Security Updates

Stay informed about security:

← Authentication Troubleshooting →