Security at Valoryx
Your documentation is sensitive. We treat security as a core feature, not an afterthought.
Data Protection
Your data stays on your infrastructure. Always.
Self-Hosted by Design
Valoryx runs on your servers. Documentation never leaves your infrastructure.
Encrypted at Rest
SQLite database with filesystem-level encryption. Sensitive fields use AES-256-GCM.
Encrypted in Transit
All connections use TLS 1.2+. Git sync over SSH or HTTPS.
Authentication
Multiple authentication methods with enterprise-grade session management.
WebAuthn and Passkeys
Passwordless authentication with FIDO2 security keys and platform biometrics.
5-Role RBAC
Fine-grained role-based access control with 5 roles — Viewer, Commenter, Editor, Admin, and Super Admin. Per-workspace permissions with configurable editor capabilities.
Secure Sessions
HTTP-only cookies, CSRF protection, automatic session expiry.
Infrastructure Security
Built with security best practices at every layer.
Signed Binaries
All releases signed with Sigstore cosign. SBOM included. Reproducible builds via GoReleaser.
Dependency Scanning
Automated vulnerability scanning in CI/CD. Go module checksums verified.
Security Headers
CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. A+ rating.
Automated Backups
Built-in backup command with configurable retention. Git sync provides additional redundancy.
MCP Server Security
AI integrations with strict access controls.
Scoped Permissions
MCP tools operate within the same RBAC system.
Audit Logging
All MCP tool invocations logged with timestamps, user identity, and parameters.
Local Transport
MCP server runs as a local process. No data leaves your network.
Vulnerability Disclosure
We take security reports seriously.
Report a Vulnerability
We aim to acknowledge reports within 24 hours and provide a fix timeline within 72 hours.
Security you can verify
Valoryx is built with security at every layer. Self-host on your infrastructure, review dependencies, run your own scans.