Security, layer by layer
Every property is real, documented, and code-backed. No vague claims — only specifics.
Fail-Closed JWT Revocation
Token revocation uses a Redis JTI blocklist. If Redis is unavailable, the token is rejected — not accepted. Security cannot degrade to an open state.
AES-256-GCM Credential Encryption
Third-party OAuth credentials are encrypted at rest using AES-256-GCM — an authenticated encryption cipher that prevents both unauthorized reading and tampering.
httpOnly Refresh Cookies
Refresh tokens live in httpOnly cookies — inaccessible to JavaScript. Access tokens are kept only in browser memory, never written to localStorage.
Per-Workspace Vector Namespaces
Every organization's embeddings live in a dedicated Pinecone namespace. One tenant's document index cannot bleed into another's results — enforced in code.
Production Security Headers
Every API response includes HSTS, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy in production.
AWS GuardDuty + CloudTrail
Infrastructure-level threat detection (GuardDuty) and full API audit logging (CloudTrail) are provisioned via Terraform for all environments.
S3 Server-Side Encryption
All uploaded documents are stored in AWS S3 with server-side encryption. Files are never stored on application servers — upload goes direct to S3 via pre-signed URLs.
Pre-flight Credit Enforcement
Before any LLM call is made, the platform checks your organization's credit balance. Insufficient credits return HTTP 402 — no partial LLM calls that consume budget unexpectedly.
Multi-Layer Rate Limiting
Rate limiting operates at IP, workspace, and user levels independently. Separate limits apply to login, invite acceptance, password reset, chat, and voice.
Shoal does not currently hold SOC 2 or ISO 27001 certifications. Infrastructure audit trails and security controls are implemented and Terraform-managed. Certification roadmap available on request.