Security
Authentication
EchelonGraph supports multiple authentication methods, configurable per-tenant to match your organization's security requirements.
Email / Password
- Industry-standard password hashing with constant-time comparison
- Automatic account lockout after repeated failed attempts
- Secure token handling with HttpOnly, Secure, and SameSite cookie attributes
Single Sign-On (SSO)
| Protocol | Supported Providers |
|---|---|
| SAML 2.0 | Okta, Azure AD, OneLogin, PingIdentity |
| OIDC | Google Workspace, Okta, Azure AD, Auth0, Keycloak |
| LDAP / Active Directory | Any LDAP-compliant directory (LDAPS and StartTLS supported) |
SSO integrations support automatic user provisioning and group-to-role mapping. See Integrations for setup guides.
WebAuthn / Passkeys
Support for hardware security keys (YubiKey) and biometric authentication (Face ID, fingerprint) via the WebAuthn standard.
Multi-Factor Authentication
- TOTP: Compatible with Google Authenticator, Authy, 1Password, and other RFC 6238 apps
- WebAuthn: Hardware security keys and biometric authentication
- Recovery codes: Single-use backup codes for account recovery
- Tenant MFA policies: Administrators can enforce MFA as off, optional, or required for all users in their organization
Role-Based Access Control (RBAC)
Four customer-facing roles provide granular access control:
| Role | What They Can Do |
|---|---|
| Viewer | Read-only access to dashboards, assets, alerts, and reports |
| Analyst | Viewer + manage alerts, create reports, export data |
| Operator | Analyst + manage scans, cloud accounts, and integrations |
| Admin | Full tenant administration — users, settings, SSO, billing |
Each role inherits all permissions from the roles below it, providing a clear security hierarchy.
SCIM 2.0 Provisioning
Automate user lifecycle management directly from your identity provider. Provision users, sync group memberships, and map groups to EchelonGraph roles — all through the SCIM 2.0 standard. Compatible with Okta, Azure AD, OneLogin, and any SCIM-compliant IdP.
Encryption
| Layer | Protection |
|---|---|
| In transit | TLS 1.2+ on all connections and API endpoints |
| At rest | AES-256 encryption on all managed data stores |
| Sensitive fields | Field-level encryption for credentials and personally identifiable information |
| Self-hosted | Bring Your Own Key (BYOK) — customer-managed encryption keys |
Audit Trail
Every security-relevant action is recorded in an immutable, tamper-proof audit log:
- Authentication events (login, logout, MFA verification, SSO, failed attempts)
- Permission changes (role assignments, user invites, deactivations)
- Configuration changes (cloud accounts, SSO settings, MFA policies)
- Data exports (report generation, compliance exports)
Audit logs are retained for 90 days by default, configurable up to 365 days on Enterprise plans. Logs can be exported for external SIEM integration.
Incident Response
EchelonGraph maintains a structured incident response process for platform security events. We classify incidents by severity and commit to defined response times. For security concerns or to report a vulnerability:
Responsible disclosure: security@echelongraph.io
Infrastructure Security
- Network isolation: Data stores are never exposed to the public internet
- Minimal attack surface: Lightweight container images running as non-root processes
- Rate limiting: Per-tenant rate limits on all API endpoints with brute-force protection
- Built-in WAF: Web application firewall with IP blocking and configurable rules
- Continuous scanning: Automated security scanning on every deployment
- Dependency monitoring: Continuous vulnerability monitoring across all dependencies