Cronus AI

Cronus

by OrbittAI ©

Data Security Policy

Last updated: March 1, 2026

Data Security Policy — CronusAI

SOFTBLITZ PESQUISA DESENVOLVIMENTO E CONSULTORIA DE SOFTWARE DO BRASIL LTDA - ME (SoftBlitz), operator of the CronusAI platform (HR SaaS within the OrbittAI ecosystem), establishes this Data Security Policy in alignment with the NIST Cybersecurity Framework, SOC 2 Trust Service Criteria, CIS Controls, and applicable industry standards.

1. Security Governance

Security governance is the responsibility of SoftBlitz leadership and the Data Protection Officer (DPO). The security policy is reviewed periodically and updated to address evolving threats, regulatory requirements, and best practices. Governance aligns with NIST SP 800-53 (AC-1, PL-1) and SOC 2 Common Criteria (CC1.1, CC1.2) for control environment and risk assessment.

2. Access Control (RBAC)

Access to data and functionality in the CronusAI platform is controlled through Role-Based Access Control (RBAC), consistent with the principle of least privilege per NIST SP 800-53 (AC-6) and CIS Control 14 (Controlled Access Based on Need to Know). The roles defined are:

  • system_admin: Global platform access, company management, and system configuration. Restricted to designated administrators.
  • company_admin: Access to data of the company under their administration: employees, cycles, contracts, invoices, payments, and documents.
  • employee: Access limited to own data: time records, contracts, invoices, receipts, and personal documents.

Authorization checks are performed at middleware and handler layers using role and company_id from the JWT. No user accesses data beyond their role and associated company scope.

3. Authentication Policies

Authentication uses JWT (JSON Web Tokens) with limited validity and refresh token rotation. Credentials are stored with bcrypt hashing. Multi-factor authentication (MFA) is on the security roadmap and will be implemented in future releases. MFA is recommended by NIST SP 800-63B and SOC 2 CC6.1 for strengthening access controls.

4. Password Policies

Password policies enforce minimum complexity (length, special characters, mix of upper/lowercase and numbers). Weak or compromised passwords are rejected. Temporary lockout after multiple failed login attempts mitigates brute-force attacks. These measures align with NIST SP 800-63B and CIS Control 4 (Secure Configuration).

5. Encryption Standards

Encryption is applied in line with NIST SP 800-175B, SOC 2 CC6.6 (Logical and Physical Access Controls), and CIS Control 13 (Data Protection). Standards adopted:

  • At rest: AES-256 for storage of sensitive data.
  • In transit: TLS 1.3 for all communications between client and server and between infrastructure components.

Encryption keys are managed securely and are not exposed in logs or source code.

6. Encryption of Data at Rest

Data stored in databases (PostgreSQL), object storage (Cloudflare R2), and backups is encrypted at rest. Disk storage uses AES-256 encryption. Employee documents, contracts, and payment receipts are stored in R2 with encryption enabled. Data-at-rest encryption aligns with NIST SP 800-53 (SC-28) and SOC 2 CC6.6.

7. Encryption of Data in Transit

All communications between the user's browser and the API, and between the API and infrastructure services (database, Redis, R2, email, third-party APIs), use TLS 1.3. Certificates are maintained valid and properly configured. This prevents interception and tampering of data in transit, consistent with NIST SP 800-52 and SOC 2 CC6.6.

8. Audit Logging

Sensitive operations are recorded in audit logs, including: changes to employee data, cycle approvals, company status changes, document access, digital signatures, and administrative actions. Logs include user identifier, timestamp, action performed, and affected resource. Logs are protected from tampering and retained per retention policy. Audit logging supports SOC 2 CC7.2 (Monitoring) and NIST SP 800-53 (AU-2, AU-3).

9. Monitoring

Infrastructure and applications are continuously monitored for anomalies, failures, and indicators of compromise. Performance, availability, and security metrics are collected and analyzed. Alerts are configured for critical events to enable rapid response. Monitoring aligns with NIST CSF (Detect function) and SOC 2 CC7.2 (System Monitoring).

10. Incident Detection

Incident detection combines automated monitoring, log analysis, and alert review. Anomalous behavior (e.g., off-hours access, multiple login failures, atypical data access volumes) is investigated. SoftBlitz maintains documented procedures for classification and escalation of security incidents, per NIST SP 800-61 and CIS Control 17 (Incident Response Management).

11. Incident Response

In the event of a security incident, SoftBlitz follows a response plan that includes: immediate containment, root cause analysis, mitigation, notification to affected parties and regulators as required by applicable breach notification laws (e.g., California Civil Code §1798.82, NY SHIELD Act), documentation, and lessons learned. Incident response aims to minimize harm to data subjects and service continuity, per NIST SP 800-61 and SOC 2 CC7.3.

12. Backup and Recovery

Periodic backups of critical data are performed at an appropriate frequency. Backups are encrypted and stored in a location separate from production. Restore tests are conducted periodically to validate data recoverability. Backup retention policies are documented and aligned with business needs and legal requirements, per NIST SP 800-34 and SOC 2 CC7.4.

13. Infrastructure Security

CronusAI infrastructure uses Docker for containerization, PostgreSQL 16 for the relational database, and Redis 7 for cache and queues (Asynq). Containers are configured with minimal, updated images. Infrastructure access is restricted and logged. Networks are segmented and firewall rules limit unnecessary traffic. Production infrastructure operates in a controlled environment (Fly.io) with security hardening, per NIST SP 800-53 (SC-7, SC-8) and CIS Controls 11–12.

14. Cloud Security (Cloudflare R2, Fly.io)

File storage uses Cloudflare R2 (S3-compatible) with encryption at rest and presigned URLs for secure download (15-minute expiry). API hosting uses Fly.io with security configurations applied. Both providers maintain compliance with recognized security standards. SoftBlitz periodically evaluates cloud provider contracts and security practices, per SOC 2 CC9.1 (Vendor Management).

15. Supplier Security

Third parties that process data on behalf of SoftBlitz (subprocessors) are engaged under agreements that impose equivalent security and compliance obligations. New subprocessors undergo risk assessment. The subprocessor list includes: Resend (email), OpenAI (AI), Cloudflare (R2, CDN), Fly.io (hosting), and database providers. Vendor management aligns with SOC 2 CC9.1 and NIST SP 800-53 (PS-7).

16. Security Training

Personnel with access to personal data receive training on data protection, information security, and best practices. Training covers data classification, acceptable use, credential protection, and incident procedures. Training is delivered upon onboarding and at defined intervals, per NIST SP 800-50, CIS Control 14, and SOC 2 CC2.2.

17. Security Reviews

The security policy and implemented controls are subject to periodic reviews (at least annually) to ensure adequacy to threats, regulatory changes, and platform evolution. Reviews include vulnerability analysis, penetration testing when applicable, and documentation updates. Material changes are communicated to relevant stakeholders and incorporated into operational procedures, per SOC 2 CC4.1 (Monitoring of Controls) and NIST CSF (Govern function).

Contact: dpo@orbittai.com