Architecture
The platform runs on a containerized microservices architecture orchestrated on Kubernetes within EU data centers. Services are isolated, individually scalable and deployed through an automated CI/CD pipeline.
Data protection
We protect data at every layer:
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Per-tenant data isolation
- Encrypted, automated PostgreSQL backups
Access control
Access is governed by least privilege:
- Role-based access control (Owner / Admin / Manager / Member / Read-only)
- Optional two-factor authentication (TOTP)
- Short-lived JWT access tokens with rotating refresh tokens
- Remote session invalidation and active-session listing
Application security
We address the OWASP Top 10 and follow secure-development practices:
- Input validation and output encoding (SQLi / XSS / CSRF / IDOR protections)
- Dependency and container vulnerability scanning (Dependabot, Trivy)
- Secrets stored in encrypted secret managers
- Rate limiting per IP and per user
Monitoring & auditing
Centralized logging and metrics, real-time alerting, health checks across services, and an immutable audit trail recording who did what and when.
Resilience
Redundant infrastructure, automated encrypted backups to EU object storage, and a documented incident-response process.
Reporting a vulnerability
We welcome responsible disclosure. Please report security issues to security@betall.app; we aim to acknowledge within one business day.
Questions about this document? Contact legal@betall.app or our data protection officer at dpo@betall.app.