Technical Security Summary · AAMOS Platform

Security Posture Overview

Detailed security architecture for IT security and procurement teams. Honest assessment including known gaps and remediation roadmap.

Authentication & Authorization

🔑

Authentication

JWT-based stateless auth with RBAC

Hardened

Token formatJWT (HS256 · migration to RS256 on roadmap)

Token lifetime1 year (known gap — see below)

Session tokensShort-lived cookie-based for web UI

MFANot yet implemented — roadmap Q3 2026

BankIDeIDAS integration available (SE market)

RBAC roles10 roles · org-scope isolation · principle of least privilege

API keysPer-integration keys · scoped permissions

Encryption

🔒

Encryption at Rest & in Transit

AES-256 + TLS 1.3

Strong

In transitTLS 1.3 · HSTS enforced · TLS 1.0/1.1 disabled

At rest (DB)AES-256 (AWS RDS encryption)

At rest (S3)AES-256 (SSE-S3) · bucket policies enforced

Key managementAWS KMS (managed keys) · rotation policy

CertificateAWS ACM · auto-renew · wildcard *.wavult.com

Infrastructure & Network

☁️

AWS eu-north-1 (Stockholm)

VPC-isolated · multi-AZ

Active

Cloud providerAWS (ISO 27001, SOC 2 Type II certified)

Regioneu-north-1 — Stockholm, Sweden (EU)

Availability zones2 AZs · automatic failover

Network isolationVPC · private subnets · NAT gateway

Load balancerAWS ALB · WAF attached · SSL termination

DDoSAWS Shield Standard · CloudFront optional

DNSCloudflare (proxy-off) · DNSSEC capable

Access Control (RBAC)

👤

Role-Based Access Control

10 roles · org-scoped · least privilege

Active

Role count10 predefined roles (superadmin → viewer)

Scope isolationHard org-boundary · cross-org access impossible

Admin accessSeparate admin console · audited

API accessScoped API keys per integration

Audit loggingAll access events logged to GECL chain

Audit Trail (GECL)

📋

GECL Immutable Audit Chain

SHA-256 · tamper-evident · 8 109+ blocks

Active

Hash algorithmSHA-256 chained blocks

Tamper detectionEach block references parent hash

Events loggedAI decisions, data access, config changes, auth events

RetentionIndefinite (append-only)

ExportJSON export available for external audit

Rate Limiting & API Security

⚡

API Rate Limiting

Per-IP + per-user limits

Active

Standard limit100 req/min per IP

Burst limit1 000 req/min (authenticated)

AI endpointsSeparate limits · circuit breaker pattern

HeadersX-Content-Type-Options · X-Frame-Options · CSP (planned)

Input validationJSON schema validation · size limits (10 MB body)

Compliance Progress

SOC 2 Type II

42%

ISO/IEC 27001:2022

79%

GDPR

68%

EU AI Act

52%

Penetration Testing

🧪

Independent Penetration Test

Planned Q3 2026 · vendor selection in progress

Planned

StatusScoping complete · vendor TBD

ScopeExternal attack surface · API endpoints · authentication · AI pipeline

Target dateQ3 2026

ReportExecutive summary available to customers post-completion

Known Security Gaps & Roadmap

⚠️

Honest Gap Assessment

Known issues and remediation timeline

JWT Algorithm: HS256 → RS256

Current long-lived tokens use HS256 (symmetric). Migration to RS256 (asymmetric) with short-lived access tokens + refresh token rotation planned.

→ Roadmap: Q3 2026

HIGH

1-Year Token Lifetime

Some API tokens have 1-year expiry. Reduces rotation frequency. Mitigated by org-scope isolation and audit logging of all token usage.

→ Roadmap: Q3 2026 (short-lived + refresh)

HIGH

MFA Not Yet Implemented

Multi-factor authentication is not available in the current release. TOTP/WebAuthn implementation in progress.

→ Roadmap: Q3 2026

MED

Content Security Policy (CSP)

CSP headers not yet fully configured. X-Frame-Options and X-Content-Type-Options are active. Full CSP deployment pending UI stability.

→ Roadmap: Q3 2026

MED

DPIA Not Yet Signed

GDPR Art. 35 DPIA for AAMOS Ouroboros is in progress (DPO: Dennis Bjarnemark). Expected completion Q2 2026.

→ Roadmap: Q2 2026

MED

Vendor Pen Test

No third-party penetration test completed yet. Internal security review performed. External pen test scheduled Q3 2026.

→ Roadmap: Q3 2026

LOW

Security Roadmap 2026

Q2 2026

DPIA signed · GDPR Art. 35 complete

DPO Dennis Bjarnemark · Ouroboros platform scope

Q3 2026

RS256 JWT migration · MFA (TOTP) · CSP headers · Pen test

Full token rotation · WebAuthn optional · external vendor

Q4 2026

SOC 2 Type II audit · ISO 27001 certification

Auditor selection complete · evidence collection live

Technology Stack

Runtime

Node.js 22Express 4ESM modules

Infrastructure

AWS ECSALB + WAFRDS PostgreSQLS3ElastiCache

AI / LLM

Anthropic ClaudeOpenAI GPT-4Google GeminiCircuit breaker routing

Security

JWT HS256TLS 1.3AES-256GECL audit chainRBACRate limiting

AAMOS Security Posture Summary · Wavult Group AB · Generated 2026-05-19 · security@wavult.com