Security at Systemi
Your engineering data is sensitive. We take its protection seriously with multiple layers of security at every level of the platform.
TLS 1.2+ / AES-256
Encryption
Session + MFA
Authentication
Read-Only
API Access
Per Organization
Data Isolation
Authentication & Access
Session-Based Authentication
All API endpoints are protected by server-side session validation. Sessions are cryptographically generated and stored securely with automatic expiration.
Multi-Factor Authentication
Optional MFA support using TOTP authenticator apps (Google Authenticator, Authy, etc.) or email-based one-time passwords. Backup codes are provided for account recovery.
Email Verification
New accounts must verify their email address before accessing sensitive features like integration configuration.
Password Security
Passwords are hashed using bcrypt with appropriate cost factors. Plain-text passwords are never stored or logged.
Data Protection
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2+. API connections to Jira, GitHub, and Slack also use encrypted channels.
Encryption at Rest
Database storage is encrypted at rest using AES-256 encryption provided by our infrastructure provider.
Data Isolation
Each organization's data is logically isolated at the database level. All queries are scoped to the authenticated user's organization, preventing cross-tenant data access.
Data Retention Controls
Data retention is enforced per subscription plan. Historical data beyond the retention window is automatically and permanently deleted.
Integration Security
Read-Only Access
Systemi connects to Jira, GitHub, and Slack using read-only permissions. We never write data back to your project management, source control, or communication tools.
Secure Credential Storage
API tokens and OAuth credentials for third-party integrations are encrypted before being stored in our database.
Minimal Data Collection
We only access the metadata necessary to compute engineering metrics — issue statuses, timestamps, assignees, and PR metadata. We do not access source code contents.
Infrastructure
Cloud Hosting
The Service is hosted on Vercel and uses managed database services with automated backups, redundancy, and high availability.
Cron Job Security
Automated background tasks (report generation, sync resumption) are protected by a shared secret and reject unauthorized invocations in production.
Dependency Management
We regularly review and update dependencies to address known security vulnerabilities.
Responsible Disclosure
If you discover a security vulnerability in Systemi, we appreciate your help in disclosing it to us responsibly.
- Email security@getsystemi.com with details of the vulnerability
- Include steps to reproduce the issue, if possible
- Allow us reasonable time to investigate and address the issue before public disclosure
- We will acknowledge receipt within 48 hours and provide updates as we investigate
Questions about security?
We're happy to discuss our security practices in detail. Reach out to our security team.