Security & Privacy

Encryption

End-to-end TLS, encryption at rest (SSE-S3, KMS), and optional client-side encryption for self-hosted deployments.

OAuth2/OIDC providers, 2FA for local accounts, and fine-grained RBAC with roles and permissions.

Comprehensive auditing for administrative and data access events with tamper-evident logs.

Full data sovereignty with predictable object layout, embedded manifests, and bulk export capabilities.