— Security

Your data does not leave your cluster. We do not operate one.

AppBahn ships as a Kubernetes operator. There is no hosted control plane, no managed cloud, no vendor side-channel. Your application data, logs, and secrets stay on the cluster you run. Here is exactly what that means.

— Current posture

What is shipped. What is planned.

Stated as project intent, not as a paid tier. Every item below lands in the open-source distribution.

SHIPPED

Encryption in transit

TLS 1.3 via cert-manager. HSTS. Modern cipher suites only.

SHIPPED

Encryption at rest

Secrets encrypted with the cluster's KMS. Persistent volumes delegated to the cluster's storage class.

SHIPPED

OIDC single sign-on

Keycloak, Okta, Google Workspace. Group-to-role mapping at workspace scope.

PLANNED

SOC 2 Type I attestation

Targeted for later. The Type II observation window opens once Type I is achieved.

PLANNED

BSI C5 self-assessment

Post-1.0. Targets German regulated-industry readiness.

— Architecture

Where data lives.

Because your workloads run on your cluster, the attack surface we are responsible for is narrower than hosted platforms. The split is clean.

ON YOUR CLUSTER

Everything that matters

Application pods, databases, secrets, logs, metrics, build artifacts, container registry (optional). All of it runs inside your Kubernetes cluster, under your network and IAM controls.

ON APPBAHN'S CONTROL PLANE

Nothing, by default

AppBahn ships as an operator. There is no hosted control plane — the platform runs alongside your workloads. No metadata leaves the cluster unless you explicitly wire outbound integrations (Slack, external SIEM).

— Access controls

Who can do what.

AUTHENTICATION

OIDC single sign-on

Keycloak, Okta, Microsoft Entra ID, Google Workspace, generic OIDC. Enforce SSO for the workspace. OIDC is the only auth path — there are no local users.

AUTHORIZATION

RBAC, four built-in roles

owner, deployer, developer, viewer — scoped per environment. Mapped from OIDC groups where available.

AUDIT

Every mutation recorded

Append-only audit log lands in the next release. Exportable to external SIEM via webhook integrations.

SECRETS

Never in plaintext

Encrypted with your cluster's KMS (AWS, GCP, Azure, or Vault). Scoped per-environment. Rotatable without redeploy.

— Responsible disclosure

Found something? Tell us.

Report a vulnerability

We acknowledge security reports within two business days and aim to triage within five. Fixes ship as ordinary releases; notable issues get a postmortem on the blog. A bug bounty is under consideration post-1.0.

security@appbahn.cloud

Plain-text reports are fine. We will publish a PGP key once a project key is in place.

What to include

Reproduction steps. Affected version (output of appbahn --version). A severity assessment if you have one. The cluster topology (Kubernetes distribution, version, ingress controller) helps us reproduce.

For non-security questions, email owner@appbahn.cloud.