Auth & Access

Authentication across SaaS, on-prem, and air-gapped; vulnerability handling; security review; internal access; compiler; and analytics-tool credentials.

How does authentication work

Console — depends on deployment model:

• SaaS: Auth0 with enterprise SSO (SAML 2.0, OIDC), MFA, session timeout
• On-premises: Your OAuth provider or deployed Keycloak instance
• Air-gapped: On-premises OAuth with no external dependencies

Apps — API key-based authentication for edge/cloud apps sending metrics. Keys generated via REST API with full lifecycle management (rotate, revoke, regenerate), scoped per environment/team.

Environment access control: Console access is scoped per environment with three permission levels: Owner (full control), Write (modify settings), and Read (view dashboards). API keys are scoped per environment and user.

How are vulnerabilities handled

Dependency updates monitored continuously.

• Critical vulnerabilities (CVSS 9.0+): 48-hour SLA
• All other severities: 30-day SLA
• Reporting: security@log10x.com -- response within 24 hours
• Disclosure: coordinated disclosure with recognition for valid findings

Attack surface context: 10x apps have no inbound network listeners. Reporter tails logs directly (DaemonSet); Reducer uses local IPC between the forwarder and the sidecar. Outbound connections are limited to metrics push (HTTPS to Prometheus endpoint).

Container security: Deployment model varies by forwarder. OTel Collector and Logstash run the Reducer as a separate sidecar container (non-root, read-only root filesystem, independent resource limits). Fluentd, Fluent Bit, and Filebeat embed 10x as a child process within the forwarder container, inheriting its security context. The Reporter always deploys as a standalone DaemonSet pod, independent of the forwarder container. See Deployment Models for details.

Can we do a security review before purchasing

Yes. Enterprise customers can schedule architecture reviews with our founders. We walk through data flows, discuss deployment models, and answer technical questions.

Documentation available:

• Architecture diagrams and data flow docs
• Software Bill of Materials (SBOM) with SHA256 digests for container images
• SIG Lite questionnaire responses
• Sample DPA and Terraform templates

Customers may conduct their own security assessment of edge app container images. Contact security@log10x.com to coordinate.

Who at Log10x can access my metrics data

SaaS mode: Access to customer Prometheus and Grafana instances is limited to engineering leads for operational support. All access is audited via AWS CloudTrail. Access logs are available on request -- contact security@log10x.com.

Self-managed mode: Log10x has zero access to your infrastructure, metrics, or dashboards.

What does the compiler do

The Compiler runs inside your environment (k8s cluster, CI/CD) to generate symbol libraries. Log10x never sees your repositories, code, or symbol libraries. See the Compiler FAQ for what the compiler extracts, how it's stored, and how to scope access.

How are analytics tool credentials managed

API keys for Splunk, Datadog, GitHub, etc. remain in your infrastructure. Never transmitted to Log10x SaaS.

10x apps run within your managed environment and connect to analytics tools using your existing network access.