Security at Odysseus

Security is foundational to everything we build. Odysseus is designed from the ground up to protect your infrastructure, data, and operations.

Authentication & Authorization

Odysseus uses a multi-layered authentication system to ensure only authorized users and services can access your infrastructure.

• JWT-based user authentication with short-lived access tokens and secure refresh token rotation
• Mutual TLS (mTLS) for all inter-component communication, ensuring both parties in every connection are verified
• Four-tier RBAC — Admin, Operator, Developer, and Read-only roles with granular permission controls
• API key authentication for programmatic access with scoped permissions

Tenant Isolation

Every tenant operates in a fully isolated environment. Odysseus enforces separation at multiple layers:

• Network isolation — Each tenant's containers run on isolated Docker networks with no cross-tenant connectivity
• Data isolation — Row-Level Security (RLS) policies enforce tenant boundaries at the database level
• Resource quotas — CPU, memory, and container limits prevent any single tenant from affecting others
• Scoped API access — All API requests are scoped to the authenticated tenant with server-side enforcement

Secrets Management

Odysseus integrates with HashiCorp Vault for enterprise-grade secrets management:

• Secrets are injected into containers via tmpfs mounts — never written to disk, never stored in environment variables
• Automatic rotation triggers zero-downtime container restarts when secrets change
• Vault AppRole authentication with least-privilege policies per service
• All secret access is logged in the audit trail

Audit Logging

Every action in Odysseus produces a tamper-evident audit record:

• Complete traceability — who performed the action, what changed, when it happened, and the outcome
• Audit records stored in a dedicated PostgreSQL database with append-only guarantees
• Covers authentication events, deployments, scaling actions, configuration changes, and administrative operations
• Queryable via the dashboard and API for compliance reporting

Infrastructure Security

• TLS everywhere — All external traffic is encrypted with automatically renewed Let's Encrypt certificates
• No-new-privileges security option applied to all containers
• Non-root execution — Services run as non-root users wherever possible
• Resource limits — All containers have CPU and memory limits to prevent resource exhaustion
• CVE scanning — Automated vulnerability scanning of container images before deployment
• WireGuard VPN — Encrypted mesh networking for multi-node deployments

Compliance

Odysseus is built to help you meet your compliance requirements:

• SOC 2 — Controls for data isolation (CC6.1), access control (CC6.3), and audit logging (CC7.2) are built in
• GDPR — Tenant data segregation, access controls, and audit trails support GDPR data protection requirements
• PIPEDA — Canadian privacy law compliance through data isolation and access controls

Responsible Disclosure

We take security vulnerabilities seriously. If you believe you've found a security issue in Odysseus, please report it responsibly.

• Email: security@delta-telematics.ca
• We will acknowledge receipt within 24 hours
• We aim to provide an initial assessment within 72 hours
• We will not take legal action against researchers who follow responsible disclosure practices

Please do not disclose security vulnerabilities publicly until we have had an opportunity to address them.