Security overview
How AACsearch protects your data — API keys, scoped tokens, tenant isolation, audit logs, and enterprise controls.
Security overview
AACsearch is built so a third party — or another tenant — can never read your data, even by accident. This page is the entry point for the security model. Use the table of contents to drill into the specific control you care about.
Threat model in one paragraph
AACsearch is a hosted multi-tenant search service. The two most likely attack paths are: (1) a leaked or stolen API key, and (2) a misuse of cross-tenant filters from a browser. Every control below is designed against those two paths. We do not depend on obscurity, and we do not store key material we could ever hand over to a third party.
Controls at a glance
| Control | Status | Page |
|---|---|---|
| Hashed API keys with scopes | ✅ Generally available | API keys |
| Scoped search tokens (browser-safe) | ✅ Generally available | Scoped tokens |
| Origin allow-list | ✅ Generally available | Origin allow-list |
| Tenant isolation | ✅ Enforced by default | Tenant isolation |
| Audit logs | ✅ Generally available | Audit logs |
| Data residency (EU / US / RU) | ✅ Generally available | Data residency |
| SSO + SCIM provisioning | 🟡 Enterprise add-on | SSO and SCIM |
| IP allow-list (org-level) | 🟡 Roadmap (no API yet) | IP allow-list |
| Encryption in transit | ✅ TLS 1.3 | Data privacy |
| Encryption at rest | ✅ AES-256 | Data privacy |
| 2FA / passkeys for dashboard | ✅ Generally available | Best practices |
| SOC 2 readiness checklist | 🟡 In progress | SOC 2 checklist |
| GDPR / 152-FZ | ✅ Compliant | Data privacy |
Anything not listed above is not generally available. If you read a claim about "self-hosted", "air-gapped", or "white-label" elsewhere, treat it as roadmap unless this page flags it as ✅.
Where each layer lives
Browser / mobile ─┐
│ scoped token (HMAC, TTL, AND-combined filter)
▼
Origin check ──→ Hashed API key ──→ Tenant filter ──→ Search cluster
(org + project + index)- Origin check rejects requests whose
Originheader is not on the key's allow-list. - API key verification compares
sha256(rawKey)against the stored hash. The raw key is never persisted. - Scope check rejects writes from
search-only keys, etc. See API keys. - Tenant filter is forced into every Typesense query so cross-org reads cannot happen — even with an admin key. See Tenant isolation.
- Scoped tokens (when used) layer an additional filter that is AND-combined, never OR-combined. See Scoped tokens.
Production checklist
Before going live, please confirm:
- Production API keys are not the keys you used during development.
- No API key is committed to a Git repository. Search your repo for
ss_search_,ss_connector_, andss_scoped_. - Browser code uses only scoped tokens or origin-restricted search keys — never an
adminoringestkey. - Origin allow-list is configured for every browser-side key. See Origin allow-list.
- 2FA is enabled for every dashboard user with
adminorownerrole. - Audit log export is wired into your SIEM if you have one.
- Your data residency region matches your compliance requirements. See Data residency.
For the full operational checklist (uptime, backups, monitoring), see Production readiness.
Reporting a vulnerability
Email security@aacsearch.com with a description, reproduction steps, and your contact information. We acknowledge reports within 1 business day. Please do not file vulnerabilities as public GitHub issues.
See also
- Dashboard → API keys — create, rotate, and revoke keys from the UI
- Quickstart — getting started with a least-privilege key
- Enterprise controls — procurement, DPA, dedicated clusters