Castra Labs

Legal

Security

Our commitment to keeping your data safe — and how to report a vulnerability.

Last Updated: March 6, 2026

Our Commitment

Security is foundational to everything we build at Castra Labs. We apply defense-in-depth principles across our infrastructure, enforce least-privilege access controls, and conduct regular reviews of our systems and dependencies.

All data transmitted between clients and our services is encrypted in transit using TLS 1.2 or higher. Sensitive data at rest is encrypted using industry-standard algorithms. We perform ongoing monitoring for anomalous activity and maintain an incident response plan to address security events quickly and transparently.

Security Practices

  • Defense-in-depth across all infrastructure layers
  • Least-privilege access controls enforced throughout
  • Encryption in transit (TLS 1.2+) and at rest for all sensitive data
  • Regular security reviews of systems and third-party dependencies
  • Continuous monitoring for anomalous activity
  • Documented incident response procedures

Responsible Disclosure

We welcome and appreciate the work of security researchers who help keep our platform safe. If you believe you have discovered a security vulnerability in any Castra Labs service, we ask that you report it to us privately before disclosing it publicly.

We commit to the following when you submit a report in good faith:

  • Acknowledge your report within 48 hours
  • Provide a timeline for remediation and keep you informed of our progress
  • Not pursue legal action against researchers who act in good faith and comply with this policy
  • Aim to resolve critical vulnerabilities within 7 days and moderate-severity issues within 30 days

Reporting a Vulnerability

To report a security vulnerability, please send a detailed email to our security team. Include the following in your report:

  • A description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Any relevant proof-of-concept code or screenshots
  • Your contact information for follow-up

Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and address the issue.

Report a vulnerability

Email: security@castralabs.co

Out of Scope

The following are generally considered out of scope for our security program:

  • Social engineering attacks against Castra Labs employees or contractors
  • Physical attacks against our offices or data centers
  • Denial of service (DoS/DDoS) attacks
  • Vulnerabilities in third-party services not directly controlled by Castra Labs
  • Issues requiring unlikely user interaction or physical device access