Security
Archway is built on the principle that SEs should never handle customer credentials. Encryption, isolation, and access control are foundational — not bolted on.
All customer secrets are encrypted at rest using AES-256-GCM with per-organization derived keys. Ciphertext and key material are stored separately. Secrets are only decrypted in-memory during bridge execution and never written to logs.
SEs reference secrets by name — they never see, access, or transmit actual credential values. Customer credentials flow directly from the portal to encrypted storage. The SE dashboard shows only metadata and status.
Every bridge undergoes automated static analysis before deployment. Code is scanned for hardcoded credentials, injection vulnerabilities, unsafe API patterns, and unvalidated inputs. Flagged issues block deployment until resolved.
Every database query is scoped to the authenticated user's organization. Cross-tenant data access is architecturally impossible. Bridges, secrets, customers, and invocation logs are fully isolated between organizations.
Granular RBAC controls who can create, deploy, and manage bridges. Admins configure team permissions and review deployments. Every action — login, deploy, secret rotation — is recorded in an immutable audit log.
Each bridge runs in an isolated sandbox with no access to the host filesystem, network stack, or other bridges. Execution is time-limited with configurable timeouts to prevent resource abuse.
Deploy Approval
An automated pipeline ensures no bridge reaches production without passing security checks.
Code is written in the browser editor and saved as a draft. Draft bridges cannot be invoked.
Static analysis checks for hardcoded secrets, injection patterns, unsafe API usage, and missing input validation.
Team admins review flagged issues, inspect code changes, and approve or request modifications before deployment.
Approved bridges go live with a unique endpoint URL. The full review trail — scan results, approver, timestamp — is permanently recorded.
Architecture
Data is encrypted at every boundary — from the customer's browser to the database, and from storage to bridge execution.
Why It Matters
Source: Verizon DBIR
Multiple independent layers of protection ensure no single failure compromises security.
All API inputs are validated at the boundary using strict schemas. No unvalidated data reaches business logic.
All database queries are parameterized by default. SQL injection is eliminated by design.
Every deployment, secret rotation, invocation, and admin action is recorded with timestamps, user IDs, and IP addresses.
Credential values are never written to application logs, error reports, or invocation traces. Only [REDACTED] placeholders appear.
Bridge execution is time-limited with configurable timeouts (default 30s). Runaway processes are terminated automatically.
All traffic between clients, APIs, and databases is encrypted in transit. No plaintext data traverses the network.