Skip to main content
DEKLARATIVE
Start free
Menu

Security

A platform that holds your domain model. Treat it that way.

Deklarative sits at the center of an application — entities, workflows, secrets, infrastructure credentials. The bar matches.

Transport & storage

  • TLS 1.3 by default for all API and webhook traffic.
  • At-rest encryption on Postgres for entity data, secrets, audit logs.
  • Secrets vault with per-environment scoping; integrations with HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault.
  • Tokenized payment data via processor; we never see raw bank/card numbers.

Identity & access

  • SSO via SAML and OIDC. SCIM provisioning on Cloud Growth and Enterprise.
  • RBAC + ABAC + ReBAC unified. CEL expressions for dynamic criteria.
  • Per-environment scoping (dev / staging / prod) with separate credentials.
  • Two-factor authentication required for any role with deploy permissions.
  • Audit log of every manifest apply, every deploy, every secret access.

Workflow engine integrity

  • Idempotency keys enforce exactly-once semantics on retries.
  • Activity execution sandboxed; no implicit access to secrets without explicit grant.
  • Replay-safe code analysis with linting at apply time.
  • Per-activity resource quotas (CPU, memory, network) enforced by the runtime.

Build & supply chain

  • Reproducible builds. SBOM published per release.
  • Container images and binaries signed with Cosign.
  • Pinned dependencies, automated CVE scans, OSS license auditing.
  • SLSA Level 3 build provenance on the roadmap.
  • Generated code is auditable in your repo, not opaque bytecode.

Source escrow

On Enterprise, source escrow is available — an independent third party holds a snapshot of the Deklarative source you can access if we go away. The Apache 2.0 license already gives you the right to fork and run; escrow gives you the snapshot of internal tooling that's not in the OSS distribution.

Hosting

  • Deklarative Cloud: EU (Frankfurt) and US (Virginia) regions on tier-1 providers.
  • Self-hosted: same binaries; runs on your Kubernetes / Nomad / VMs / bare metal.
  • Air-gapped install on Enterprise — manifest-driven offline deployment.
  • SOC 2 Type II audit in progress, target 2026 H2.

Responsible disclosure

Found a security issue? Email security@deklarative.com. We respond within one business day, triage within three, and credit researchers in the changelog (with permission).

Our security.txt has the latest contacts and PGP key.

Get started

Describe the system. Ship the system.

Open source under Apache 2.0. Cloud free for evaluation. Production deployments self-hosted or hosted, your call.

Start free See pricing Read the docs →