Skip to content

Security: forint573/erp-integrator-vortex

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you find a security vulnerability in MEGZO Integrator Vortex or its managed service, please report it responsibly — do not open a public issue.

  • Email office@megzo.biz with a description and steps to reproduce.
  • We aim to acknowledge within 2 business days and to keep you informed through remediation.
  • Please allow a reasonable window to fix the issue before any public disclosure.

About this repository

This is a public overview of the platform. It contains no credentials, customer data, or production secrets — the managed service runs separately on Cloudflare Workers.

How the platform is secured

  • Tenant isolation: PostgreSQL row-level security keyed on tenant; the runtime database role is non-bypass-RLS.
  • Encryption: credentials sealed at rest with AES-256-GCM (master key in Worker Secrets, per-tenant ciphertext); TLS in transit; secrets decrypted only in memory, never logged or returned to the UI.
  • Boundary authentication: every inbound webhook is HMAC-verified (Standard Webhooks) before processing.
  • Locked admin: the console sits behind Cloudflare Access with a strict Content-Security-Policy.
  • Least privilege & scrubbed logs: scoped service credentials; logs carry references and hashes only.

Operated by ICS4BIZ & IT SRL (Romania).

There aren't any published security advisories