Security

ownMDM is pre-launch and self-hostable. We take customer trust seriously: every action by ownMDM staff against your tenant is visible to you in real time, and our security posture is documented honestly. The list below reflects what's in production today — not a roadmap.

Encryption

  • TLS 1.2+ for all data in transit (NPM-terminated)
  • bcrypt password hashing (cost factor 12) with timing-safe comparison
  • Secrets isolated to env vars; never logged, never in API responses

Authentication & 2FA

  • JWT in HttpOnly, SameSite=Strict cookies
  • Mandatory TOTP 2FA for owner / super_admin (24h grace window)
  • Per-tenant 2FA enforcement available (tenant owner toggle)
  • SAML 2.0 / LDAP SSO integration
  • 5-attempt login lockout with exponential backoff (60s–600s)

Infrastructure

  • Self-hostable (source available, AGPL-3.0)
  • Docker with health checks, no privileged containers
  • Tenant isolation via tenant_id scoping enforced at every query
  • Subdomain routing with JWT cross-tenant validation
  • Five-layer defense (JWT → middleware → permission → row scoping → nav guard)

Monitoring & customer audit

  • Prometheus + Grafana observability
  • Loki log shipping
  • GlitchTip error tracking with PII scrubbing
  • Customer-visible platform-access log — every staff action against your tenant, surfaced in your admin UI
  • Email notification when ownMDM staff begins a support session

Application security

  • SSRF prevention with DNS pinning + URL re-validation
  • Command injection protection (shlex.quote + whitelisted templates)
  • Origin header validation on state-changing requests
  • Cross-tenant access requires written justification (logged + emailed)
  • Cross-tenant pentest 2026-04-27: 0 exploitable leaks

Compliance posture

  • GDPR Data Processing Agreement available on request
  • SOC 2 Type I evidence collection in progress (target Q3 2026)
  • Operational audit logs 90 days; security events 7 years
  • Customer data export via API + admin portal
  • Cookie consent + privacy policy

Need a DPA or security questionnaire?

We provide Data Processing Agreements, security documentation, and respond to vendor security assessments.

Contact Security Team