Skip to main content

Security

Catalyst's security model rests on four pillars:

  • App-ID-bound identity — every workload gets a SPIFFE-based X.509 SVID that is automatically rotated. The data plane uses this identity to mutually authenticate every call between workloads and to backing infrastructure. No shared secrets in code. See Application Identities.
  • Project and region isolation — App IDs, components, and policies are scoped to a project; projects are scoped to a region. Resources in one project cannot be accessed from another. See Organisations & Projects.
  • Encrypted transport — all data-plane traffic is encrypted with mTLS; Catalyst manages certificate issuance and rotation.
  • Externalised secret resolution — secrets are stored and resolved via the Dapr secrets API, keeping credentials out of component YAML and application code. See Secrets.

Additional enterprise controls include RBAC, SSO, audit logs, seccomp compliance, and SOC 2 Type II certification. See the Dapr Open Source security guide for the OSS security baseline.

Last updated on