IthilPenetration Testing
Ithil is penetration tested by Cobalt, a CREST accredited offensive security firm. Results are available on request. Network, application, and data layers are each secured independently with defense in depth.
Security Overview
SOC 2 Type I readiness controls are implemented across the platform. Type II audit is scheduled. NIST 800-53 control mapping is documented for federal compliance assessments.
Data Protection
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Tenant data is isolated at the database schema level. Each tenant has its own schema, and no query executes without tenant context. Backups are encrypted and stored in geographically separated locations.
Compliance
The platform is built to WCAG 2.1 AA standards, meeting Section 508 accessibility requirements. The data model supports GASB 34 compliance for government asset reporting. Compliance controls are enforced at the database and application level for every customer.
Infrastructure
Ithil runs on AWS in US regions (us-west-2). All infrastructure is deployed within isolated Virtual Private Clouds (VPCs). Database endpoints are never publicly accessible. Infrastructure is managed as code with automated security scanning on every deployment.
Domestic Operations
Ithil is built entirely by a US based team. All development, operations, and customer support are performed domestically. No work is outsourced offshore. All data is handled exclusively by personnel within US jurisdiction.
Access Control
Role based access control (RBAC) governs all operations. Single sign on (SSO) is supported via WorkOS. Multi factor authentication (MFA) is available for all accounts. Sessions are managed with secure, HttpOnly cookies with configurable timeout policies.
Audit Trail
Every operation in Ithil generates an immutable event in the audit log. Work orders and inspections use append only event stores that support point in time reconstruction. Authorization denials are logged. Data retention policies are configurable per tenant.
Session Management
Sessions enforce a 30 minute maximum inactivity timeout with a 2 minute idle warning, aligned with NIST 800-53 AC-12. All session tokens are stored in secure, HttpOnly cookies with SameSite protection. CSRF tokens are validated on every state-changing request.
Multi Factor Authentication
Multi factor authentication via TOTP (Time based One-Time Password) is available for all accounts. MFA adds a second verification step beyond passwords, protecting accounts even if credentials are compromised.
IP Allowlisting
Tenants can restrict platform access to specific IP addresses or CIDR ranges. This network level control, aligned with SOC 2 CC6.6 and NIST 800-53 SC-7, ensures the platform is only accessible from authorized networks.
Cryptographic Standards
Ithil uses FIPS 140-2 compliant cryptographic modules. Data at rest is protected with KMS envelope encryption using AES-256-GCM. All hash chains use SHA-256 for tamper evident audit trails. TLS 1.3 protects all data in transit.
Immutable Audit Logs
The platform maintains approximately 25 append only tables and 45 soft delete tables protected by database-level triggers. No audit record can be altered or deleted, even by administrators. Event sourcing with SHA-256 hash chains provides tamper evident, point in time reconstructable history.
NIST 800-53 Alignment
Ithil's security controls align with NIST 800-53 requirements including session management (AC-12), network boundary protection (SC-7), access control (AC-2), and audit generation (AU-12). Controls are documented and mapped for federal compliance assessments.
Incident Response
Ithil maintains a documented incident response plan. Security incidents are communicated to affected customers within 24 hours. Our security team monitors for threats continuously. Contact security@ithil.ai for any security concerns.
Responsible Disclosure
We welcome reports from security researchers. If you discover a vulnerability, please report it to security@ithil.ai. We commit to acknowledging reports within 48 hours and will work with you on remediation timelines. We do not pursue legal action against researchers who report vulnerabilities in good faith.
For security inquiries, contact security@ithil.ai.