— Platform

Security at Augur.

Last updated: May 11, 2026

Federal procurement work means you handle non-public business information about pursuits, partners, and pricing. Augur is built so that information stays inside your team. This page is the longer version — the architectural facts that earn the claims on the rest of the site.

Identity and access

Passwords are stored as PBKDF2-SHA-256 hashes with per-user random salts and 100,000 iterations. We never see, store, or transmit the raw password.

Sessions are bearer tokens issued at sign-in. The raw token is sent to your browser once, set as a HttpOnly + Secure + SameSite=Strict cookie, and never accessible to client-side JavaScript. The server stores only the SHA-256 hash of the token, plus a separate CSRF token used for double-submit verification on state-changing requests.

Sessions expire 30 days after issuance. Changing a password invalidates every other active session for that user immediately; the only session preserved is the one making the change request.

Authorization

Every authenticated endpoint runs through a shared requireAuth helper. The helper validates the cookie, looks up the session in the database, confirms the user is active, and (for admin-only routes) confirms the user’s role is admin. The role check is server-side; a malicious client can’t flip a flag and reach an admin endpoint.

CSRF

Every state-changing endpoint requires a matching CSRF token in both the csrf_token cookie and the X-CSRF-Token header (or request body for form submissions). The cookie is SameSite=Strict, which already prevents cross-site POSTs from succeeding, so the explicit double-submit is belt-and-suspenders for the older browser corner-cases.

Transport and headers

All traffic is served over TLS 1.2 or higher. The platform sets strict security headers on every response:

  • Content-Security-Policy with script-src 'self' on app pages — no inline scripts, no third-party JavaScript.
  • Strict-Transport-Security: max-age=31536000; includeSubDomains
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: no-referrer
  • Permissions-Policy disabling camera, mic, geolocation, payment, and USB access we don’t use.
  • Cache-Control: no-store on every /app/* and /api/* response so signed-in pages never end up in browser, proxy, or CDN caches.

Tenant isolation

Augur is deployed per-customer. Each deployment has its own Cloudflare Pages project, its own D1 database, and its own SAM.gov API key. There is no cross-tenant query path, no shared user table, and no shared watchlist storage. Customer data is never used to train models for another customer or for any third party.

Audit trail

Every authentication event, password change, role change, account creation, account deletion, and watchlist mutation is recorded with timestamp, actor, target, IP, and user agent. The log is visible to team administrators inside the app and can be exported via the /api/activity endpoint.

Sub-processors

Our sub-processors are listed in our Privacy Policy. We notify customers in advance of any sub-processor change. Material additions or substitutions trigger a 30-day window during which customers may object.

Compliance posture

Augur is designed to align with the controls required by:

  • FedRAMP Moderate baseline (control mappings available on request under NDA).
  • FAR 52.204-21 basic safeguarding of contractor information systems.
  • NIST SP 800-171 protecting controlled unclassified information (CUI) in non-federal systems — see our FAR compliance page for specifics.

We do not currently hold a SOC 2 Type II report; this is on the 2026 roadmap. Customers with attestation requirements should ask about our pilot-stage compliance package.

Responsible disclosure

If you believe you have found a security vulnerability in Augur, please report it to security@augurai.app. Include:

  • A description of the vulnerability and its impact.
  • Steps to reproduce, including any relevant requests, payloads, or account context.
  • Your name and a way to contact you for follow-up (you may report anonymously, but we can’t credit or pay you without contact info).

We acknowledge reports within two business days and aim to resolve critical issues within seven days. We don’t pursue legal action against good-faith researchers who follow this policy and refrain from accessing other users’ data, disrupting the Service, or publicly disclosing the issue before we’ve had a chance to fix it.

Status and uptime

Live status is published on the marketing site footer and at /api/health. Historical incident reports are available to customers in the support portal.

Contact

Security questions: security@augurai.app
General privacy: privacy@augurai.app