PushContext — Security Overview

Last updated: September 2, 2025

PushContext is a "push knowledge infrastructure" that surfaces prior decisions, playbooks, and guardrails inside tools such as Slack, Jira, GitHub, and Docs. Security is built into our product design and operations.

1) Scope & shared responsibility

Security is a shared responsibility: we secure the application, orchestration, data handling, and our cloud infrastructure; you control identity, tenant data, and configuration.

2) Security at a glance

Data minimization by design; metadata-first ingestion with optional redaction.
Encryption in transit (TLS 1.2+) and at rest (AES-256).
SSO (SAML/OIDC), MFA, RBAC, per-tenant isolation, and source ACL enforcement.
Action approvals, audit trails, and idempotent workflows.
Backups & DR with documented RPO/RTO; VPC/on-prem options for regulated customers.
Compliance roadmap: SOC 2 Type II and ISO 27001.

3) Data classification

Customer Data: content and metadata you connect (snippets, titles, PR diffs); Account Data: admin/user names, emails, organization and billing details; Telemetry: usage events and diagnostics.

4) Architecture & tenant isolation

Designed for tenant isolation (row-level security, namespaced vectors) and ACL-enforced retrieval. VPC/on-prem deployments mirror controls within your environment.

5) Identity & access control

SSO (SAML/OIDC), MFA, RBAC, and just-in-time support access that is opt-in and audited.

6) Encryption & key management

TLS 1.2+ in transit, AES-256 at rest. Keys managed via KMS; CMK available for Enterprise/VPC.

7) Secrets & connector security

Connector auth uses OAuth 2.0 or app tokens with least-privilege scopes. Secrets are encrypted at rest and never logged.

8) Product safety controls

Push thresholding, approval workflows, topic controls, and recorded approver identity to reduce risk of erroneous actions.

9) Secure SDLC

Design reviews, threat modeling, PR checks, static analysis, secrets scanning, dependency hygiene, and SBOM available on request.

10) Vulnerability management & testing

Continuous SCA and container scans, scheduled pen-tests, and patching SLAs (Critical: 72h, High: 7d, Medium: 30d). Executive summaries available under NDA.

11) Monitoring & incident response

Centralized logging, anomaly detection, immutable audit logs, 24×7 on-call, and customer notification targets (initial notice ≤ 72 hours where applicable).

12) Business continuity & backups

Encrypted automated backups, periodic restore tests, and RPO/RTO targets: RPO ≤ 24 hours, RTO ≤ 24 hours (SaaS).

13) Data retention & deletion

Configurable retention, data export on request, and right-to-erasure handled per applicable law.

14) Compliance & subprocessors

Compliance roadmap includes SOC 2 Type II and ISO 27001. We maintain a list of subprocessors and bind them contractually to security obligations.

15) Customer configuration & best practices

Enforce SSO + MFA; use role-appropriate access and revoke unused seats.
Start with conservative push thresholds and require approvals for sensitive actions.
Scope connectors with least-privilege and periodically re-consent integrations.

16) Responsible disclosure & contact

If you believe you have found a security issue, contact vikarn@lupuscreed.com with reproduction steps, impact, and contact details. Allow reasonable time for investigation; recognition may be provided.

17) Changes to this page

We may update this Security Overview to reflect improvements and evolving standards. Material changes will be noted with a new "Last updated" date.