Demeterics.ai Security
Demeterics is built with security-first principles. This document covers authentication, authorization, data protection, and compliance features.
Authentication
OAuth2 / SSO
Demeterics supports OAuth2 authentication through Google:
| Provider | Status | Configuration |
|---|---|---|
| Supported | Default SSO option | |
| GitHub | Planned | Coming soon |
| Microsoft | Planned | Enterprise feature |
Flow:
- User clicks "Sign in with [Provider]"
- Redirected to provider's OAuth consent screen
- Provider returns authorization code
- Demeterics exchanges code for tokens
- Session created with secure HTTP-only cookie
Firebase Authentication
For custom integrations, Demeterics uses Firebase Authentication as the underlying identity layer:
- Email/password authentication
- Phone number verification
- Multi-factor authentication (MFA)
- Session management with configurable expiry
API Key Authentication
API keys authenticate programmatic access to Demeterics APIs.
Key format: dmt_ prefix followed by 32 random characters
Security features:
- Keys are hashed with bcrypt before storage (original never stored)
- Keys can be scoped to specific permissions
- Keys can be rotated without downtime
- Last-used timestamp tracked for auditing
Best practices:
- Store keys in environment variables, never in code
- Use separate keys for development and production
- Rotate keys every 90 days
- Revoke unused keys immediately
Authorization
Role-Based Access Control (RBAC)
| Role | Permissions |
|---|---|
| Admin | Full access: manage users, API keys, agents, settings, billing |
| User | View interactions, create agents, use APIs |
| Viewer | Read-only access to dashboards and interactions |
| API Only | Programmatic access only, no dashboard |
API Key Scopes
When creating API keys, you can limit their permissions:
{
"scopes": [
"interactions:read",
"interactions:write",
"agents:read",
"agents:write",
"analytics:read",
"exports:read"
]
}
Data Protection
Encryption
In Transit:
- All connections use TLS 1.3
- HSTS enabled with 1-year max-age
- Certificate transparency logging
At Rest:
- Google Cloud KMS for key management
- AES-256 encryption for stored data
- Automatic key rotation
Data Residency
Data is stored in Google Cloud regions:
| Region | Location | Availability |
|---|---|---|
us-central1 |
Iowa, USA | Default |
europe-west1 |
Belgium, EU | Enterprise |
asia-east1 |
Taiwan | Enterprise |
Contact sales@demeterics.com for specific data residency requirements.
Request Security
CSRF Protection
All state-changing requests require CSRF tokens:
- Tokens embedded in forms automatically
- SameSite=Strict cookie policy
- Origin header validation
Rate Limiting
Rate limits protect against abuse and ensure fair usage. Limits are tier-based and increase as your account matures:
| Tier | Limit | Criteria |
|---|---|---|
| New | 10 requests/min | New accounts |
| Verified | 30 requests/min | Email verified |
| Established | 60 requests/min | Active usage history |
Additional limits apply per endpoint type:
- Authentication: 10 attempts per minute per IP
- Widget sessions: 30 messages per minute per session
Rate limit headers:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1706540400
When rate limited, you'll receive a 429 Too Many Requests response. Contact support@demeterics.com for higher limits.
Input Validation
All inputs are validated and sanitized:
- SQL injection prevention (parameterized queries only)
- XSS prevention (output encoding)
- Path traversal prevention
- File upload validation (type, size, content)
Compliance
GDPR
Demeterics supports GDPR compliance requirements:
Data Subject Rights:
| Right | Implementation |
|---|---|
| Access | Export all user data via API |
| Rectification | Edit user data in dashboard |
| Erasure | DELETE /api/v1/data endpoint |
| Portability | JSON/CSV export formats |
Data Deletion:
curl -X DELETE https://api.demeterics.com/api/v1/data \
-H "Authorization: Bearer dmt_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"tables": ["interactions", "analytics"],
"start_date": "2024-01-01T00:00:00Z",
"end_date": "2024-12-31T23:59:59Z",
"confirm": true
}'
Request Fields:
| Field | Type | Description |
|---|---|---|
tables |
array | Tables to delete from: interactions, analytics |
start_date |
string | RFC 3339 start date (optional) |
end_date |
string | RFC 3339 end date (optional) |
session_ids |
array | Specific session IDs to delete (optional) |
confirm |
bool | Must be true to execute deletion |
dry_run |
bool | Preview deletion without executing |
Response:
{
"status": "completed",
"request_id": "req_abc123",
"tables": ["interactions", "analytics"],
"rows_deleted": 1523,
"message": "Deletion completed successfully"
}
SOC 2
Demeterics infrastructure is hosted on Google Cloud Platform, which maintains SOC 2 Type II certification. Contact security@demeterics.com for our security questionnaire.
Audit Logging
Security-relevant events are logged to BigQuery for compliance and analysis:
- Credit transactions and billing events
- Rate limit violations
- Schema changes and migrations
- Data deletion requests
Access audit data via BigQuery exports or contact support@demeterics.com for compliance reports.
Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly:
Email: security@demeterics.com
What to include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information
Our commitment:
- Acknowledge receipt within 24 hours
- Provide status updates every 72 hours
- Credit reporters (if desired) after fix
Security Checklist
Use this checklist when deploying Demeterics in production:
- Use environment variables for API keys
- Configure allowed domains for widgets
- Review and restrict API key scopes
- Configure low balance alerts for credits
- Set up webhook signatures for integrations
- Review data retention policies
- Test data deletion workflow
- Set up Slack/email alerts for error rate spikes
Getting Help
- Documentation: https://demeterics.com/docs
- Security questions: security@demeterics.com
- General support: support@demeterics.com