Security & compliance FAQ — PatchPilot Docs

Encryption

Is data encrypted in transit?

Yes. TLS 1.2 minimum, TLS 1.3 preferred, on every connection between agent, admin console, and API. Legacy ciphers (3DES, RC4, export-grade) are disabled. Agent connections additionally pin to the PatchPilot root certificate.

Is data encrypted at rest?

Backups are always encrypted: AES-256-CBC with PBKDF2 (SHA-256, 200,000 iterations). Backups rotate on a 14-day cycle. The host's primary disks use OVH-managed storage; sensitive fields (secrets, tokens, passwords) are individually hashed or encrypted at the application layer.

Where are encryption keys stored?

Service credentials live in a systemd EnvironmentFile with mode 0600, owned by the dedicated service user. Backup encryption keys are held by the customer for offsite replication scenarios.

Authentication

How do users sign in?

Email + password (bcrypt, cost factor 10), with optional TOTP 2FA. SSO via OIDC is available on Business and Enterprise tiers; SAML on Enterprise. Sessions are opaque random IDs with HttpOnly + Secure + SameSite=Lax cookies, sliding 7-day expiry, absolute 30-day expiry.

How do agents authenticate?

Agents are bootstrapped with an organisation-level token (ppk_ prefix), then immediately rotate to a per-device token (ppdt_ prefix) on first check-in. Device tokens are scoped to a single device and are revocable.

Are there roles?

Yes — Owner, Admin, Operator, Auditor, plus MSP Tenant Admin on the MSP tier. All permission checks are server-side; UI hiding is belt-and-braces only.

Multi-tenant isolation

How is one customer's data kept separate from another's?

Every query is scoped to organization_id at the data-access layer. There is no shared-state cache between organisations. The MSP console enforces tenant context server-side — an MSP user always operates on exactly one tenant per request, even when the UI shows them a list of clients.

Has this been tested?

Continuously. We run an isolation harness in CI that attempts cross-tenant access on a representative slice of endpoints and fails the build if any leak is detected.

Audit logging

What's logged?

Two append-only tables:

audit_log — operational events: patch approvals, rollbacks, baseline changes, drift accept / remediate, device enrol / retire, alert resolutions.
admin_audit_log — identity events: login, login failure, password change, 2FA enrolment, role change, API key creation / revocation, session termination.

How long is the audit log retained?

30 days on Free, 90 days on Starter, 1 year on Professional, 3 years on Business, customisable on Enterprise. Exports to CSV from the UI; SIEM forwarding via syslog (RFC 5424) on Business and Enterprise tiers.

Compliance frameworks

Which frameworks does PatchPilot evidence?

UK Cyber Essentials — the primary at-launch framework.
SOC 2 Type II — control-mapped evidence pack.
ISO 27001 Annex A.
UK GDPR — including a RoPA helper and DSAR flow.
PCI-DSS 4.0 (requirements 5, 6, and 11).
HIPAA (164.308 / 164.312).

Is the evidence pack auditor-ready?

Yes — it's the actual deliverable, with control mapping, source-of-truth references, and timestamped evidence rows. We've put it in front of UK and US auditors and got nods, not eye-rolls.

Vulnerability disclosure

How do I report a security issue?

Email security@patchpilot.co.uk. PGP key on request. Acknowledgement within 2 business days, triage within 7, fix timeline within 14. We ask for 90 days before public disclosure, extendable by agreement. Safe harbour applies for good-faith research within scope.

What's in scope?

The patchpilot.co.uk domain, all subdomains, and the Windows agent MSI. Out of scope: social engineering, DoS, spam, and findings in third-party services.

Sub-processors and data flow

See the live sub-processors list. Hosting is in the UK on dedicated infrastructure; we deliberately avoid US-only SaaS dependencies in the primary data path.