Security Policy

Last updated: March 2, 2026

Eyevinn Technology AB takes the security of Eyevinn Open Source Cloud seriously. We appreciate the security research community and welcome responsible disclosure of vulnerabilities.

1. Reporting a Vulnerability

If you believe you have found a security vulnerability in our platform, please report it to us responsibly.

What to Include in Your Report

  • A description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability if left unaddressed
  • Any suggestions for how the vulnerability could be fixed

2. Our Commitment

When you report a vulnerability to us, we commit to:

  • Acknowledging your report within 3 business days
  • Providing an estimated timeline for a fix within 10 business days
  • Keeping you informed about the progress of resolving the vulnerability
  • Crediting you (if desired) when we publicly disclose the fixed vulnerability

3. Responsible Disclosure Guidelines

We ask that security researchers:

  • Give us reasonable time to address the vulnerability before public disclosure
  • Make a good faith effort to avoid privacy violations, destruction of data, and disruption of services
  • Do not access or modify data belonging to other users
  • Do not perform actions that could negatively impact other users or the platform

4. Scope

In Scope

Out of Scope

  • Third-party services and integrations not operated by Eyevinn Technology
  • Individual open source projects hosted on the platform (report those to the upstream maintainers)
  • Social engineering attacks against our team

5. Platform Security Measures

We implement industry-standard security measures to protect the platform and our users:

  • TLS/SSL encryption for all data in transit
  • Encryption for data at rest
  • Kubernetes-based isolation between tenant workloads
  • OAuth 2.0 and passwordless authentication
  • Role-Based Access Control (RBAC)
  • Regular security audits
  • Automated vulnerability scanning
  • Access logging and monitoring

6. Contact

Eyevinn Technology AB

Security reports: contact@support.osaas.io

General inquiries: info@eyevinn.se

Website: www.osaas.io

Machine-readable security contact information is available at /.well-known/security.txt