Security Architecture
Six-layer defense-in-depth architecture with enterprise-grade security controls. AI Governance provides an additional enforcement plane for LLM spend and policy compliance.
Layer 1 — Perimeter Security
Volumetric attack mitigation, rate limiting, geo-blocking at the edge
Cloudflare-managed L7 routing with TLS termination and WebSocket support
Custom WAF rules, bot detection, and IP reputation filtering
Layer 2 — Network Security
Encrypted peer-to-peer networking between Runtime instances and workers
NAT traversal fallback relays for connectivity behind restrictive firewalls
Azure Private Link for database and storage — no public IP exposure
Layer 3 — Identity & Access
Full SSO integration with Auth0, Azure AD, Okta, and custom OIDC providers
Fine-grained role-based access compiled to SQL for zero-overhead enforcement
Each organization gets a dedicated Temporal namespace for hard execution boundaries
Layer 4 — Data Protection
PostgreSQL Flexible Server with transparent data encryption, geo-redundant backups
All inter-service communication encrypted. SRTP for WebRTC media streams
Azure Key Vault for TLS certificates and secrets with automatic rotation
Layer 5 — AI Governance & Application
Intercepts all LLM/AI calls for governance — budget caps, policy checks, usage logging
Token and spend limits per agent, per org. OPA policies for content filtering
Non-root runtime, minimal Alpine base, read-only filesystem, no shell in production
Layer 6 — Monitoring & Audit
Real-time metrics collection and distributed tracing across all services
Cryptographic audit chain — every action logged, tamper-evident, immutable retention
Worker heartbeat detection, automatic failover, Temporal activity retries