Security at Somodus

Somodus agents work with your accounts, so protecting your credentials is the core of our security design: every stored secret is protected with envelope encryption (a unique AES-256-GCM data key per secret), sessions use rotating tokens with reuse detection, and only server-verified code is ever deployed.

How your credentials are protected

OAuth tokens and API keys you connect are encrypted with envelope encryption: each secret gets its own unique 256-bit data-encryption key (AES-256-GCM with a random IV per operation), and that data key is itself wrapped by a separate key-encryption key. Encrypted secrets are stored separately from application metadata, so a database record on its own is useless without the key hierarchy.

API keys you provide for your own integrations (for example a Stripe or Twilio key) are injected into your agent as encrypted deployment secrets — they are not embedded in the agent's code and are never returned to the browser.

Account and session security

Sign-in uses Google OAuth with PKCE (S256). Sessions use short-lived access tokens with rotating refresh tokens: each refresh issues a new token, reuse of an old token outside a short grace window is rejected (stolen-token detection), and refresh tokens are stored only as SHA-256 hashes — never in plaintext.

Deployment integrity

Agent code is deployed only from server-verified build artifacts. Code submitted by a client is never trusted or deployed directly — the deploy path fails closed if a trusted artifact cannot be resolved. This prevents tampered or injected code from reaching your agents.

In transit

All traffic is served over HTTPS with HSTS; plain-HTTP requests are redirected before any content is served.

Reporting a vulnerability

If you believe you've found a security issue, please email support@somodus.com with details. We read every report. A machine-readable contact is published at /.well-known/security.txt.