Security Overview

Last Updated: June 30, 2025

This document outlines the security posture of PII Guardian.

Architecture

The application is designed with security as a primary concern. Key architectural features include:

• Self-Hosted: The entire application (API, database, workers) runs within the customer's own environment. No data is ever sent to NorrexIT.
• Multi-Tenancy: Data is strictly segregated between tenants at the database query level, preventing any possibility of cross-tenant data access.
• Stateless Authentication: The data plane is secured by hashed API keys, while the management plane uses standard JWTs.

Best Practices

The codebase follows modern security best practices, including:

• Use of an ORM (SQLAlchemy) to prevent SQL injection.
• Password and API key hashing using bcrypt.
• Containerization with a non-root user for reduced privilege.
• Structured, redacted logging to prevent accidental leakage of secrets.