Security measures we use on the BT San Technology platform.
Last updated: May 26, 2026
We build the platform with customer data security as a primary goal. This page summarizes the measures we apply in practice, both technical and operational. Enterprise customers needing more detail can contact [email protected].
Encryption
Encryption in transit — HTTPS/TLS 1.3 on every public-facing endpoint.
Encryption at rest — datasets, models, and uploaded files are encrypted in storage.
Password hashing — customer passwords are stored using bcrypt (cost factor 12). We never store plaintext passwords.
JWT signing — tokens use asymmetric signing with short-lived access tokens and rotating refresh tokens.
Access control
Role-based access control (RBAC) — owner, admin, member, and viewer roles per organisation.
Two-factor authentication (TOTP) — available for any account, compatible with standard authenticator apps.
Session management — automatic token expiry, and the user can sign out of every session at any time.
SSO — Google and Facebook OAuth out of the box; SAML available on request for enterprise customers.
Tenant isolation
Every record is tagged with a tenant_id at the database row level and as an object-storage prefix.
Queries and API endpoints enforce tenant_id filtering based on the authenticated user.
One customer cannot access another customer's datasets, labels, models, or devices — through either the UI or direct API.
Object storage backup — datasets and models are replicated across availability zones.
Disaster recovery — RTO and RPO targets are specified in enterprise contracts.
Monitoring and incident response
Audit log — every API action is logged with user, timestamp, and IP.
Monitoring — metrics in Prometheus + logs in Loki, with alerts to Slack/PagerDuty.
Incident response — on-call team during business hours, with documented containment, analysis, and customer-notification steps consistent with our Privacy Policy.
Network and infrastructure
Edge protection — Cloudflare WAF, DDoS protection, and bot management.
Bot / CAPTCHA — Cloudflare Turnstile on sensitive auth endpoints.
Rate limiting — at the API gateway to prevent brute force and abuse.
Internal network — service-to-service traffic stays inside the VPC; no public exposure.
People, process, and vendors
Staff and contractors sign NDAs before accessing identifiable data.
Customer-data access by our team is limited to what's needed to deliver the service, and is audit-logged.
Vulnerability disclosure — see security.txt (RFC 9116).
Compliance and standards
PDPA — we comply with Thailand's Personal Data Protection Act — see our Privacy Policy.
ISO 27001 / SOC 2 — on our roadmap; we can share more detail with enterprise customers on request.
DPA — available for enterprise customers — see DPA.
Report a vulnerability
If you find a security issue, please email [email protected] with details and reproduction steps. Please do not disclose it publicly before we have had a chance to investigate and remediate.
We aim to acknowledge reports within 3 business days. See also security.txt.
Get Started
Ready to upgrade your factory?
Free site visit within 7 business days. We'll assess what can be improved and propose an approach that fits your budget.
