Idiongo
Loading
Effective 22 May 2026 · Last updated 22 May 2026

Security at Idiongo.

Security isn't a checkbox. It's how the product is built. This page summarises the controls we keep in place to protect your workspace, your team, and your data.

Workspace isolation

Every Idiongo workspace is row-level isolated in PostgreSQL. Every API route resolves a workspace ID from the authenticated session, and queries are scoped to that workspace at the ORM layer. There is no shared "global" table where one workspace's data sits next to another's.

File storage uses workspace-scoped object prefixes (s3://idiongo-prod/ws_{id}/). Access policies are enforced at the storage layer, not just in application code.

Encryption

  • In transit: TLS 1.3 enforced on all endpoints. HTTPS-only cookies. HSTS enabled with a 1-year max-age.
  • At rest: AES-256 encryption on database, file storage, and backup volumes.
  • Direct messages: End-to-end encrypted between participants. Idiongo cannot read DM content.
  • Secrets: Credentials and API keys stored in a managed secret store, rotated quarterly.

Access controls

Workspace owners assign roles (Member, Instructor, Admin) that map to a least-privilege permission set. Every action is checked against the actor's role and scope. Permission changes are logged to an immutable audit trail visible to admins.

Internally, Idiongo staff access to production is restricted to a small on-call team, requires hardware-key MFA, and is logged on every connection.

Authentication

  • Passwords hashed with bcrypt at salt rounds ≥ 12
  • JWT sessions with 15-minute access tokens and 7-day refresh tokens
  • Optional TOTP-based two-factor authentication on all plans
  • SSO via SAML 2.0 and Google Workspace on Enterprise
  • Brute-force protection on auth routes with progressive delays

AI & your content

Idiongo's AI features process your content to generate output, but your content is never used to train a shared model. Knowledge base documents are embedded into a vector index scoped to your workspace alone. Generated output is reviewed by an instructor before publishing.

We do not send your documents, your courses, or your messages to third-party model providers for training or fine-tuning under any circumstance. Generation calls send only the minimum context required and are governed by our processor agreements.

Infrastructure

Production runs on reputable cloud infrastructure with automated failover, daily encrypted backups retained for 30 days, and quarterly disaster-recovery drills. Monitoring covers application health, anomalous request patterns, and dependency vulnerability scans.

The full subprocessor list, including data residency, is published at idiongo.com/subprocessors.

Secure SDLC

  • Code review required on every change merged to main
  • Automated static analysis and dependency scanning on every pull request
  • Penetration testing by an independent third party annually
  • Bug bounty programme for verified security researchers

Responsible disclosure

If you discover a vulnerability, please report it to security@idiongo.com with a description of the issue and steps to reproduce. We acknowledge reports within 24 hours and credit researchers who report responsibly.

Please do not disclose publicly until we've had a reasonable opportunity to investigate and remediate.