Security at Lectur.
What's in place today, what's in flight, and how we'd rather you tell us about a vulnerability.
What's in place today
Per-tenant database isolation at the query layer, enforced in code and covered by build-time checks. Secrets held in Dokploy environment stores, never checked into source. TLS on every inbound edge and on internal service-to-service calls that leave Docker networking. HTTP-only, SameSite cookies for auth with short rotating tokens. Daily encrypted backups with point-in-time restore up to 30 days.
Authentication
OIDC and SAML single sign-on per tenant. Pilot institutions ship their own identity provider and role mappings. Service-to-service calls use a shared X-API-Key scoped per service, validated at the edge proxy before requests reach application code.
What's in flight
SOC 2 Type I readiness (Q2 2026) with a Type II attestation period starting after we exit pilot. Formal incorporation, vendor diligence package, and a full security whitepaper are on the same Q2 track — they're committed deliverables, not wishlist items.
Observability
OpenTelemetry traces on every backend surface, with error, LLM, and usage events shipped to our observability stack. Host-level intrusion signals (Falco, chkrootkit, rkhunter, lynis, unhide) feed a notification hub that fans out to the appropriate operators.
Responsible disclosure
If you believe you have found a vulnerability, please do not post it publicly. Email the security address below with enough detail to reproduce; we will acknowledge within two business days and keep you updated as the fix lands. Pilot customers have an additional escalation channel in their contract.
Questions
Email security@lectur.ca.