# Security framework

## Executive Summary

Eli operates a security-first architecture built on a fundamental principle: **carefully select the most secure cloud providers and let them handle what they do best**. Rather than attempting to reinvent security infrastructure, we focus our expertise on application-level security while leveraging enterprise-grade providers who specialize in infrastructure protection. This approach delivers superior security outcomes compared to self-managed alternatives.

## Defense-in-Depth Security Strategy

**Infrastructure Security (Provider-Managed)**

* DDoS protection via Vercel's global CDN and AWS infrastructure
* Network-level security filtering and threat detection
* Automatic security patching for underlying infrastructure
* Geographic redundancy across multiple availability zones

**Application Security (Eli-Managed)**

* Type-safe API design preventing injection attacks
* Comprehensive authentication and authorization controls
* End-to-end encryption for all data transmission
* Secure development lifecycle with automated security scanning

### Core Security Domains <a href="#core-security-domains" id="core-security-domains"></a>

Our security framework is organized across four key operational areas, each detailed in dedicated documentation:**Access Controls**

* Multi-method authentication and identity management
* Role-based access control and authorization
* API security architecture and session management

**Data Protection & Backup**

* Encryption standards and key management
* Data isolation and backup strategies
* Recovery and business continuity procedures

**Incident Response & Recovery**

* Security monitoring and threat detection
* Incident response procedures and escalation
* Disaster recovery and uptime commitments

### Infrastructure & Application Security <a href="#infrastructure-and-application-security" id="infrastructure-and-application-security"></a>

**Cloud Provider Security (Inherited)**

* **Vercel/AWS**: DDoS protection, WAF filtering, infrastructure monitoring
* **MongoDB Atlas**: Automated security patching, network isolation, backup encryption
* **Firebase/Google Cloud**: Identity and access management, audit logging, compliance certifications

**Application Security by Design**

**Secure Development Practices**

* TypeScript for compile-time security validation
* Zero-warning linting policy enforcing security best practices
* Automated dependency vulnerability scanning
* Code review requirements for all changes

**Runtime Protection**

* tRPC type-safe remote procedure calls eliminating injection vulnerabilities
* Prisma ORM with parameterized queries preventing NoSQL injection
* CORS policies restricting cross-origin requests to authorized domains
* Input validation and sanitization at API boundaries
* Content Security Policy (CSP) headers

### Compliance & Certifications <a href="#compliance-and-certifications" id="compliance-and-certifications"></a>

**Industry Standards**

* SOC 2 Type II readiness (provider certifications inherited)
* ISO 27001 alignment through cloud provider certifications
* GDPR technical and organizational measures compliance
* Industry-specific security requirements support

### Vulnerability Management <a href="#vulnerability-management" id="vulnerability-management"></a>

**Automated Scanning**

* Dependency vulnerability scanning in CI/CD pipeline
* Static code analysis for security issues
* TypeScript compile-time security validation

**Patch Management**

* Automatic security updates for cloud infrastructure (provider-managed)
* Rapid application patching for identified vulnerabilities
* Zero-downtime deployment capability for emergency patches
* Staging environment testing for all security updates

***

**For technical security questions or detailed architecture discussions, contact:** [security@eli.app](mailto:security@eliapp.io)​

**Last Updated:** August 2025


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.eliapp.io/confidentialite-et-securite-en/security-operations/security-framework.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.