Security Policy
Last updated: March 2, 2026
Eyevinn Technology AB takes the security of Eyevinn Open Source Cloud seriously. We appreciate the security research community and welcome responsible disclosure of vulnerabilities.
1. Reporting a Vulnerability
If you believe you have found a security vulnerability in our platform, please report it to us responsibly.
Contact
Email: contact@support.osaas.io
What to Include in Your Report
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact of the vulnerability if left unaddressed
- Any suggestions for how the vulnerability could be fixed
2. Our Commitment
When you report a vulnerability to us, we commit to:
- Acknowledging your report within 3 business days
- Providing an estimated timeline for a fix within 10 business days
- Keeping you informed about the progress of resolving the vulnerability
- Crediting you (if desired) when we publicly disclose the fixed vulnerability
3. Responsible Disclosure Guidelines
We ask that security researchers:
- Give us reasonable time to address the vulnerability before public disclosure
- Make a good faith effort to avoid privacy violations, destruction of data, and disruption of services
- Do not access or modify data belonging to other users
- Do not perform actions that could negatively impact other users or the platform
4. Scope
In Scope
- The Open Source Cloud platform at app.osaas.io
- The marketing website at www.osaas.io
- Platform APIs at *.svc.prod.osaas.io
Out of Scope
- Third-party services and integrations not operated by Eyevinn Technology
- Individual open source projects hosted on the platform (report those to the upstream maintainers)
- Social engineering attacks against our team
5. Platform Security Measures
We implement industry-standard security measures to protect the platform and our users:
- TLS/SSL encryption for all data in transit
- Encryption for data at rest
- Kubernetes-based isolation between tenant workloads
- OAuth 2.0 and passwordless authentication
- Role-Based Access Control (RBAC)
- Regular security audits
- Automated vulnerability scanning
- Access logging and monitoring
6. Contact
Eyevinn Technology AB
Security reports: contact@support.osaas.io
General inquiries: info@eyevinn.se
Website: www.osaas.io
Machine-readable security contact information is available at /.well-known/security.txt