1. Security Overview
Our Security Commitment
At IntuneBrew, security is a fundamental aspect of our platform. We implement industry-standard security practices to protect your data and ensure the reliability of our service. This document provides transparency about our security measures and practices.
Security Principles
- Defense in Depth - Multiple layers of security controls
- Least Privilege - Access limited to what is necessary
- Encryption by Default - Data protected in transit and at rest
- Transparency - Clear communication about our security practices
- Continuous Improvement - Regular security assessments and updates
Encrypted Data
HTTPS + token encryption
Secure Auth
Microsoft Entra ID
Audit Logging
Security and upload events
2. Authentication Security
Microsoft Entra ID Integration
IntuneBrew uses Microsoft Entra ID (formerly Azure Active Directory) for user authentication. This provides enterprise-grade security features:
- Single Sign-On (SSO) - Seamless authentication with existing Microsoft credentials
- Multi-Factor Authentication - Support for MFA policies configured in your tenant
- Conditional Access - Respect for your organization's conditional access policies
- No Password Storage - We never store your Microsoft password
Token Security
Access tokens are handled with strict security measures:
- JWT Validation - All tokens are cryptographically verified using Microsoft's public keys
- Signature Verification - RSA signature validation via JWKS endpoint
- Expiration Checks - Tokens are validated for expiration with minimal tolerance
- Audience Validation - Tokens are verified for the correct audience (Microsoft Graph)
- Issuer Validation - Only tokens from Microsoft's official endpoints are accepted
- Claims Verification - User identity claims (oid, upn, tid) are validated
Session Management
- Standard sign-in - MSAL v4 caches authentication artifacts in localStorage and encrypts them with a key based in the
msal.cache.encryptionsession cookie, except when Microsoft's "Keep me signed in" option is selected - Custom app registration - The Graph access token is kept server-side in an encrypted HttpOnly, SameSite=Lax cookie whose lifetime is aligned with token expiry
- Token renewal - MSAL handles cache lookup and silent renewal for the standard sign-in flow
- Logout and disconnect - The relevant MSAL cache or custom tenant session is cleared when the user signs out or disconnects
3. Data Encryption
Encryption in Transit
Production traffic is sent over provider-managed HTTPS:
- HTTPS - Vercel manages certificates and transport security for the website and API
- Provider connections - Calls to Microsoft Graph, Supabase, GitHub, Resend, and Plausible use HTTPS endpoints
- Webhook delivery - Configured webhook destinations must use HTTPS in production
Encryption at Rest
Data stored in our systems is encrypted using industry-standard methods:
- Database Encryption - Supabase provides transparent data encryption for stored data
- Token Encryption - Access tokens queued for processing are encrypted with AES-256-GCM
- Key Management - Application encryption keys are supplied through protected runtime and GitHub Actions secrets
Token Encryption Details
When your Microsoft access token is used for app uploads, it is encrypted before being queued:
Algorithm: AES-256-GCM
IV Length: 16 bytes (random)
Auth Tag: 16 bytes
Key Size: 256 bits
4. Access Controls
Application Access
- Authentication Required - All protected endpoints require valid authentication
- User Isolation - Users can only access their own data
- Tenant Isolation - Data is segregated by Microsoft tenant
- Permission Validation - API permissions are validated for each request
API Security
- Token Validation - Every API request is authenticated and authorized
- Input Validation - All user inputs are validated server-side
- Output Encoding - Responses are properly encoded to prevent injection
- CORS Policy - Cross-Origin Resource Sharing restricted to authorized domains
Infrastructure Access
Access to production infrastructure follows the principle of least privilege. Administrative access is limited, protected by multi-factor authentication, and all access is logged.
5. Rate Limiting
Protection Against Abuse
We implement rate limiting to protect against abuse and ensure fair usage:
- Per-User Limits - Requests are limited per authenticated user
- Per-IP Limits - Additional limits based on client IP address
- Endpoint-Specific - Different limits for different API endpoints
- Gradual Response - Warnings before hard blocks
Rate Limit Headers
API responses include rate limit information:
X-RateLimit-Limit: Maximum requests per window
X-RateLimit-Remaining: Requests remaining
X-RateLimit-Reset: Window reset timestamp
6. Audit Logging
What We Log
Structured application and provider logs help maintain security and troubleshoot selected service operations:
- Authentication Events - Selected authentication failures and successful token validation
- Data Operations - Upload initiation, completion, failure, and selected settings changes
- Security Events - Rate-limit blocks and validation failures
- Provider Events - Vercel request logs and GitHub Actions workflow status
Log Information
Structured application entries can include, where applicable:
- Timestamp (ISO 8601 format)
- Event type and description
- User identifier associated with the operation
- IP address
- User agent
- Request path and operation-specific status or error details
Log Retention
Application logs follow the retention configured by the hosting and workflow providers. Access is limited to accounts authorized for the relevant service. See the Privacy Policy for current retention criteria.
7. Infrastructure Security
Hosting Provider: Vercel
Our application is hosted on Vercel, which provides:
- Global edge network with automatic failover
- DDoS protection and Web Application Firewall
- Automatic SSL/TLS certificate management
- SOC 2 Type II compliant infrastructure
- ISO 27001 certified data centers
Database: Supabase
User data is stored in Supabase, which provides:
- PostgreSQL database with Row Level Security
- Encryption at rest and in transit
- Regular automated backups
- SOC 2 Type II compliance
- Point-in-time recovery capabilities
Upload Processing: GitHub Actions
Starting an upload creates a status record in Supabase and sends an encrypted Microsoft Graph token, the selected app identifier, and upload options through GitHub's repository-dispatch API. A time-limited GitHub Actions job decrypts the token, downloads the package, and uploads it directly to Microsoft Intune's delegated Azure Storage location.
Upload callbacks are signed with HMAC-SHA256 and checked before job status is updated. The workflow has a 45-minute processing timeout, and no application package binary is stored in the IntuneBrew database.
8. Vulnerability Management
Dependency Management
- Regular updates of all dependencies
- Automated vulnerability scanning in CI/CD pipeline
- Security advisory monitoring for used packages
- Prompt patching of identified vulnerabilities
Secure Development
- Security-focused code review for all changes
- OWASP guidelines for secure coding practices
- Input validation and output encoding
- Protection against common vulnerabilities (XSS, CSRF, injection)
Responsible Disclosure
We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue, please email support@ugurlabs.com with details. We will acknowledge your report within 48 hours and work with you to address the issue.
9. Incident Response
Incident Response Process
We maintain documented incident response procedures that include:
- Detection - Monitoring systems alert on potential security events
- Containment - Immediate action to limit impact
- Investigation - Thorough analysis of the incident
- Remediation - Fixing the root cause
- Communication - Notifying affected parties as required
- Post-Incident Review - Learning and improving from the incident
Breach Notification
In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities as required by GDPR and other applicable laws. See our Data Processing Agreement for detailed notification procedures.
10. Security Contact
Report Security Issues
If you have security concerns or want to report a vulnerability, please contact us:
For urgent security matters, please include "SECURITY" in the subject line.
Related Documents
- Privacy Policy - How we handle your data
- Data Processing Agreement - GDPR compliance details
- Acceptable Use Policy - Usage guidelines
- Terms of Service - Service terms