Security

Isolation

Each customer pipeline runs in its own Firecracker microVM (a Fly.io Machine) inside a dedicated Fly App per tenant. Per-VM kernel isolation, separate network namespaces, and Fly's public-network policy keep tenants from reaching each other.

Data at rest

Checkpoints live on Tigris (Fly-network object storage) with SSE-S3 default encryption. Optional customer-managed KMS keys are available on the Enterprise tier. Cold-tier archive in AWS Deep Archive uses SSE-KMS.

Data in transit

TLS 1.2+ everywhere. The control plane API (api.opendera.com), the console (app.opendera.com), the marketing site, and the docs all use ACM-issued certs served via CloudFront. Pipeline workers talk to the manager over Fly's private network (.internal DNS).

Authentication

OIDC for the console (e.g. Google, GitHub, Microsoft). Per-tenant API keys for SDK + CLI use. SAML 2.0 single sign-on is on the roadmap and lands alongside the on-premise SSO support.

Compliance

OpenDera is early. We are not yet SOC 2, ISO 27001, or HIPAA audited. Self-host if your compliance requirements outpace this timeline; the open-source build has every feature and you keep the data plane.

Disclosure

Report security issues to security@opendera.com. Please don't open a public GitHub issue for security-relevant bugs.