WalnutAI← Back to Home

Security Policy

Your data security is our top priority

Effective Date: March 2026  |  Last Updated: March 24, 2026  |  Version: 1.0

Our Commitment to Security

At WalnutAI, we understand that security is paramount when you entrust us with your testing data and automation workflows. We have implemented comprehensive security measures across our platform to protect your data, ensure system integrity, and maintain the highest standards of information security.

This document outlines our security practices, compliance commitments, and how we safeguard your information.

1. Platform Security Architecture

Enterprise-Grade Infrastructure

WalnutAI is built on a modern, scalable architecture designed with security at its core:

  • Multi-Tenant Architecture: Complete data isolation between organizations with dedicated security boundaries
  • Microservices Design: Segmented services minimize attack surface and contain potential security incidents
  • Cloud-Native Deployment: Leveraging enterprise cloud infrastructure (AWS/Azure) with built-in security features
  • High Availability: Redundant systems ensure continuous operation and data protection

Technology Stack

Our platform utilizes industry-standard, security-hardened technologies:

  • Backend: Node.js with Express framework, secured with Helmet.js
  • Database: MongoDB with encryption and role-based access control
  • Caching: Redis with TLS encryption for session management
  • Storage: AWS S3 / Azure Blob with encryption at rest and in transit

2. Data Protection

Encryption

Data in Transit:

  • TLS 1.3 encryption for all data transmission
  • HTTPS for all API communications
  • WSS (WebSocket Secure) for real-time connections

Data at Rest:

  • AES-256 encryption for sensitive data fields
  • Bcrypt password hashing with industry-standard cost factors
  • Encrypted API keys and integration tokens
  • Encrypted database backups

Data Isolation

  • Complete logical separation between customer organizations
  • Organization-scoped access controls on all data queries
  • Indexed tenant identifiers for performance and security
  • No cross-tenant data access or leakage

3. Authentication & Access Control

User Authentication

Robust Authentication:

  • Industry-standard bcrypt password hashing
  • Secure session management
  • JWT token support for API access
  • Password complexity requirements

Session Security:

  • HttpOnly cookies prevent XSS attacks
  • SameSite attributes for CSRF protection
  • Configurable session timeouts
  • 24-hour maximum session duration

Role-Based Access Control (RBAC)

  • Granular permission system based on user roles
  • Organization, project, and resource-level permissions
  • Principle of least privilege enforced
  • Audit logging of permission changes

4. Application Security

Secure Development Practices

  • Security requirements integrated into development lifecycle
  • Regular security code reviews
  • Automated security testing in CI/CD pipeline
  • Input validation using Zod validation library
  • Continuous dependency scanning for vulnerabilities

API Security

  • Authentication required for all endpoints
  • Rate limiting to prevent abuse
  • Request validation and sanitization
  • Secure error handling
  • OAuth 2.0 support for integrations

5. Network Security

Infrastructure Protection

Network Segmentation:

  • Private subnets for databases
  • Load balancers with DDoS protection
  • Firewall rules restricting traffic
  • VPN access for administration

Security Headers:

  • Content Security Policy (CSP)
  • HTTP Strict Transport Security (HSTS)
  • X-Frame-Options (clickjacking prevention)
  • X-Content-Type-Options

6. Monitoring & Incident Response

24/7 Security Monitoring

  • Real-time application monitoring
  • Security event logging and analysis
  • Anomaly detection for suspicious activities
  • Automated alerting for security events
  • Comprehensive audit logging

Incident Response

  • Dedicated security team with defined procedures
  • 24/7 security incident monitoring
  • Documented incident response playbooks
  • Commitment to transparent communication
  • GDPR-compliant breach notification (72-hour requirement)

Security Contact: security@walnutai.ai — Available 24/7 for security incidents.

7. Compliance & Certifications

GDPR Compliance

  • Data processing agreements
  • Right to access (data export)
  • Right to erasure (account deletion)
  • Privacy by design
  • 72-hour breach notification

CCPA Compliance

  • Transparent data practices
  • User rights to access/deletion
  • Opt-out mechanisms

SOC 2 Type II

  • Security controls aligned
  • Regular third-party audits
  • Continuous monitoring

Industry Standards

  • OWASP Top 10 compliance
  • ISO 27001 alignment
  • Security best practices

8. Business Continuity & Disaster Recovery

Data Backup

  • Daily automated backups of all customer data
  • Encrypted backup storage
  • Geographic redundancy for disaster recovery
  • Regular backup restoration testing

Recovery Commitments

  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 24 hours
  • Uptime SLA: 99.9%

9. Third-Party Security

Vendor Management

  • Security assessments of third-party services
  • Contractual security requirements
  • Regular vendor security reviews
  • Trusted enterprise cloud providers (AWS, Azure)

Dependency Management

  • Continuous dependency monitoring
  • Automated vulnerability scanning
  • Timely security updates
  • Software supply chain security

10. Customer Security Responsibilities

While we provide robust platform security, customers play a crucial role in maintaining overall security:

  • Account Security: Maintain strong, unique passwords
  • Access Management: Properly configure user roles and permissions
  • Credential Protection: Safeguard API keys and integration tokens
  • Security Awareness: Train team members on security practices
  • Prompt Reporting: Report suspected security issues immediately

11. Contact & Support

General Inquiries:

Email: security@walnutai.ai — Response within 24 hours

Security Vulnerabilities:

Email: security@walnutai.ai — Response within 48 hours

Customer Support:

Email: contact@walnutai.ai — Documentation available 24/7

Reporting Security Issues

If you discover a potential security vulnerability:

  • Email security@walnutai.ai with details
  • Include description, steps to reproduce, and potential impact
  • Do not publicly disclose until we've addressed the issue
  • We will acknowledge within 48 hours and provide updates

Our Security Commitment

WalnutAI is committed to maintaining the highest standards of security and privacy. This security policy reflects our current practices and our ongoing commitment to protecting customer data.

  • Continuous security monitoring and improvement
  • Transparent communication about security practices
  • Rapid response to security incidents
  • Compliance with applicable regulations
  • Partnership with customers in maintaining security

Document Classification: Public  |  Version: 1.0  |  Last Updated: March 24, 2026  |  Next Scheduled Review: September 2026

© 2025 WalnutAI. All rights reserved. This document represents WalnutAI's security practices as of the effective date.