Security
Fontana is built for organisations that need provable control over who can access what, where data lives, and how change is recorded. Your workspace runs inside your Kubernetes boundary with dedicated identity, secrets, data stores, and audit paths. The pages below describe the security model you can review during procurement and SOC 2-aligned diligence.
Topics
Section titled “Topics”- Workspace isolation - cluster-per-tenant boundaries, shared platform services, and soft vs dedicated-host tenancy
- Secrets and encryption - Vault write-only secrets, BYOK, secret rotation, encryption in transit and at rest
- Network and hardening - TLS transmission boundary, operator host access, NetworkPolicy, pod security
- Supply chain - pinned OCI images, bundle integrity verification, and vulnerability scanning
- Data retention - workflow data, HyperDX operational logs, and WORM audit retention boundaries
- Deployment environments - production-class vs integration/local SOC 2 scope
- SOC 2 control summary - mapped control areas for security questionnaires and audit review
- Vendor diligence FAQ - answers to recurring procurement and audit questions with links to deep dives
Three evidence planes
Section titled “Three evidence planes”Security and compliance review spans platform controls (this section) and runtime evidence (audit and lineage). Keep these separate in questionnaires:
| Plane | What it proves | System of record | Where to read more |
|---|---|---|---|
| Platform security | Isolation, secrets, encryption, network, supply chain | Host and cluster configuration | This section |
| Security audit (WORM) | Who did what on the platform; privileged activity | ImmuDB per workspace (append-only) | Security audit (WORM) |
| Workflow lineage and port audit | How an output value was derived; validation and edit context on a run | Workflow file store (lineage sidecars, port audit items; not ImmuDB) | Data lineage |
HyperDX is an operational search plane. It may mirror WORM events for faster incident search, but it is not the compliance system of record. Retention, reindexing, or TTL expiry in HyperDX does not replace ImmuDB evidence. See Data retention and Operational telemetry.
Related documentation
Section titled “Related documentation”- Identity and access - Zitadel SSO, MFA, SCIM, and application RBAC
- Compliance evidence - workflow lineage and immutable audit trail deep dive
- Observability - operational telemetry vs security audit routing
- Deployment architecture - platform and workspace cluster topology
- Backup and restore - snapshots, rollback, and configuration export