Security Overview
Slim.io is built on a zero-trust architecture where every component assumes breach and validates independently. This section covers the security measures, encryption model, identity management, and compliance posture of the platform.
Security Principles
Zero-Trust Architecture
Every API request is authenticated and authorized independently. There are no implicit trust relationships between services or users. Authentication tokens are validated on every request, not just at session start.
Least-Privilege Access
All cloud connector credentials use the minimum permissions required for scanning (read-only access to storage objects). No write permissions are ever requested or used during normal operation.
Encryption Everywhere
Data is encrypted at rest using cloud-managed encryption keys (AES-256). Data in transit uses TLS 1.3. PII findings can be additionally encrypted using authenticated AES-256 tokenization with per-tenant key isolation.
Audit Everything
All sensitive operations — scan execution, policy changes, connector modifications, member management — are logged with timestamps, actor identity, and operation details. See Audit Logging for full details.
Security Architecture
Network Security
| Layer | Protection |
|---|---|
| Edge | DDoS mitigation and web application firewall rules |
| Transport | TLS 1.3 for all client-to-server communication |
| Internal | mTLS between backend services |
| API | HMAC-signed inter-service calls to prevent tampering |
Authentication
The platform maintains strict authentication boundaries between customer and administrative interfaces. Customer portals validate JWT tokens issued during login. Cross-portal access is not possible — tokens from one authentication context are rejected by the other.
Customer and administrative authentication systems are completely separate. A customer token cannot authenticate to administrative endpoints, and vice versa. This is by design to prevent privilege escalation.
Data Handling
What Slim.io Stores
| Data Type | Encryption | Retention |
|---|---|---|
| Scan findings | Cloud-managed + optional AES-256 tokenization | Configurable per tenant |
| Connector configurations | Cloud-managed | Until connector deletion |
| Policy definitions | Cloud-managed | Until policy deletion |
| Audit logs | Cloud-managed | 90 days (configurable) |
What Slim.io Does NOT Store
- Original file contents (files are scanned in-stream and not retained)
- Cloud provider credentials in plaintext (encrypted at rest, decrypted only during API calls)
- LLM conversation logs (context sent to LLM providers is not stored)
Learn More
- Encryption & Tokenization — AES-256 tokenization, key management, key hierarchy
- Identity & SSO — SAML 2.0, supported providers, JIT provisioning
- Audit Logging — Comprehensive audit trail and SIEM integration
- Compliance — GDPR, HIPAA, PCI-DSS, SOC 2 mapping
- BYOC — Client-hosted scanning for maximum data control