Security & Trust
D.A.M.I is built with security-first principles. Your data and credentials are protected at every layer.
Authentication
- Firebase Authentication with Google Sign-In and email/password
- JWT verification on every API request
- API key authentication for programmatic access (prefix:
dami_sk_)
Authorization (RBAC)
Four roles with granular permissions:
| Permission | Owner | Admin | Operator | Viewer |
|---|---|---|---|---|
| View dashboards | ✅ | ✅ | ✅ | ✅ |
| Execute agents | ✅ | ✅ | ✅ | ❌ |
| Manage connectors | ✅ | ✅ | ❌ | ❌ |
| Manage users | ✅ | ✅ | ❌ | ❌ |
| Tenant settings | ✅ | ❌ | ❌ | ❌ |
| Billing | ✅ | ❌ | ❌ | ❌ |
Data Protection
- Encryption at rest: AES-256-GCM for all stored secrets and credentials
- Encryption in transit: TLS 1.3 for all API communication
- No credential logging: Secrets are never written to logs
- Data isolation: Complete multi-tenant separation
Webhook Security
All webhook endpoints verify authenticity:
| Source | Verification |
|---|---|
| GitHub | HMAC-SHA256 signature |
| Jenkins | Token-based auth |
| PagerDuty | Signature verification |
| Datadog | API key validation |
Infrastructure Security
- Google Cloud Run — fully managed, auto-scaling, no server management
- Firebase — Google's enterprise-grade auth platform
- No hardcoded secrets — all sensitive values via environment variables
- Dependency scanning — automated vulnerability checks in CI/CD
Compliance
D.A.M.I supports compliance auditing for:
- SOC 2
- HIPAA
- PCI-DSS
- GDPR
- CIS GCP Benchmarks
Responsible AI
- AI actions follow least-privilege principles
- Human-in-the-loop approval for all write/destructive operations
- Audit trail for every AI decision and action
- No customer data used for model training