Security

Morphora runs on hardened cloud infrastructure with strict network segmentation. The control plane (UI, API, authentication) and the execution plane (ticket processing, code generation, verification) operate in separate trust boundaries. Execution workloads never share processes with the control plane.

All infrastructure is provisioned through code with automated configuration management, and access to production systems is restricted to authorized personnel through role-based controls.

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Database connections are encrypted and authenticated. Secrets and credentials for connected providers are stored in dedicated, encrypted secret storage and are never logged or included in analytics.

Morphora enforces workspace isolation so that each tenant's data is strictly separated. Authentication is handled through secure identity providers. All API access requires valid authentication tokens, and all actions are scoped to the authenticated user's workspace and permissions.

Provider connections (GitHub, GitLab, Jira, Linear, etc.) use least-privilege access. We request only the permissions necessary to perform the configured workflows and never request broader access than required.

• All code changes go through review before merging to production
• Dependencies are monitored for known vulnerabilities and updated regularly
• Secrets are never committed to source control or included in application logs
• Input from external sources (ticket content, repository data) is treated as untrusted and sanitized before processing
• Prompt injection mitigations separate trusted system instructions from untrusted user-provided content

Every code-generation and verification run operates in an isolated workspace with:

• Time limits to prevent runaway processes
• Resource limits on CPU and memory
• Controlled network access
• No shared writable state between runs or between tenants

Workspaces are created fresh for each execution and cleaned up afterward. Generated code changes are never applied to production repositories without explicit review and approval.

All significant actions in the platform are recorded as audit events, including provider connections, ticket analyses, code generation runs, approval decisions, and pull request creation. Audit logs are immutable and retained according to your workspace plan.

The platform exposes observability signals for provider authentication, ingestion, analysis latency, verification outcomes, and worker health to support operational monitoring and debugging.

We maintain an incident response process for security events. In the event of a confirmed data breach that affects your account, we will notify affected users within 72 hours and provide details about the scope, impact, and remediation steps taken.

If you discover a security vulnerability in Morphora, we encourage responsible disclosure. Please report it to notify@morphora.io. We will acknowledge your report within two business days and work with you to understand and resolve the issue. We will not take legal action against researchers who report vulnerabilities in good faith.

For security-related questions or concerns, contact us at notify@morphora.io.