Security & Admin Hardening

Purpose

This page consolidates the security posture of Visual Expert (VE) and provides practical hardening steps for administrators. It complements two other reference documents:

Data Protection & Confidentiality: explains what data is processed and how it is handled
Architecture & Network: describes endpoints, network flows, and technical prerequisites

1) Security Posture — What VE Does (and Does Not) Do

Scope & Access

User-controlled scope: Visual Expert analyzes only the source elements you explicitly select for analysis. This includes source files, database object definitions (procedures, functions, views), SQL queries, and application code. No automatic scanning of your entire environment occurs without your explicit instruction.
No business data processing: Visual Expert processes code and metadata (object definitions, schemas, code structure) but does not access or process production data, business records, or runtime data from your databases or applications.
Read-only operations: Visual Expert operates in read-only mode. It does not modify your source code, database schemas, or any other elements in your environment.

AI Data Handling (VE AI)

What is transmitted: When you use VE AI features, the system sends a predefined AI macro request (generated by Visual Expert based on your action in the user interface) along with a minimal code excerpt. This excerpt is strictly limited to the code fragment necessary to answer your specific question or analysis request.
What is not transmitted: Visual Expert does not send complete source code repositories, global database dumps, or production data to the AI service. Only the specific code excerpt required for your current analysis is transmitted.
Project Context for improved results: To improve the accuracy and relevance of future AI responses within your project, Visual Expert may retain code excerpts and AI outputs (including derived representations such as summaries or annotations) in two locations:
- In your VE Cloud tenant: This data remains isolated within your dedicated tenant environment.
- In your OpenAI tenant: OpenAI may retain this data to improve the quality of responses for your specific project context but cannot use it for any other purposes (training or other).
This Project Context data is not accessible to other VE users or third parties. You can request deletion of this data at any time (see Retention & Deletion section below).

Human Access Policy

No default human access: By default, no human at Novalys or any third party has access to your code excerpts, AI outputs, or Project Context data.
Support access requires approval: Access by Novalys support staff is only possible with your explicit written authorization. When granted, access is strictly limited to the minimum data necessary to resolve your support case and is logged for audit purposes.

Encryption & Isolation

Data in transit: All communications between Visual Expert components use TLS encryption to protect data during transmission.
Data at rest: Data stored in VE Cloud and at OpenAI (via API) is encrypted using AES encryption algorithms.
Tenant isolation: Each customer's data is isolated at the tenant level in VE Cloud.
Environment separation: Development, testing, and production environments are separated to maintain security boundaries.

2) Retention & Deletion

VE Cloud (Customer Tenant)

Project Context elements (code excerpts, AI outputs, and derived representations) are retained in your VE Cloud tenant for as long as they are needed to support VE AI functionality and improve analysis quality for your project.

Deletion process: All Project Context data is deleted upon your request or automatically when your service agreement ends. To request deletion, contact Novalys support with your specific requirements.

OpenAI (via API)

OpenAI retains data only for the duration necessary to provide the AI service to your Visual Expert instance.

Deletion timeline: OpenAI deletes all retained data within 30 days (maximum) after receiving your deletion instruction (relayed through Visual Expert) or upon termination of service.

3) Identity & Access Management

Account provisioning: Access to Visual Expert is granted exclusively to user accounts explicitly approved by your organization. No default or automatic account creation occurs.
Least privilege principle: Grant Visual Expert access only to the specific repositories, databases, or code sources required for analysis.
Separation of duties: Maintain separation between Visual Expert administration and source/database administration roles.

4) Logging & Monitoring

Visual Expert maintains minimal technical logs that include identifiers, timestamps, operation status, and diagnostic information. These logs support operational monitoring and troubleshooting.

Customers can implement their own network monitoring and security controls (such as proxy servers, SIEM systems, or network traffic analysis tools) to maintain visibility into Visual Expert's activity within their environment.

5) Vulnerability Management

Patch Cadence & Remediation SLAs

Critical vulnerabilities: Remediation target of 7 days or less from identification
High-severity vulnerabilities: Remediation target of 30 days or less
Medium and Low-severity vulnerabilities: Remediated per internal risk assessment policies

Dependency Hygiene

Novalys continuously monitors and updates third-party components and dependencies based on security risk assessments and vendor security advisories.

6) Secure Software Development Lifecycle (SDLC)

Code reviews: All code changes undergo peer review before integration.
Gated merges: Code merges require passing automated and manual quality gates.
Static and Dynamic Analysis: Visual Expert uses SAST and DAST tools to detect security issues early.
Supply chain controls: Build artifacts are signed and integrity-checked.
Code signing: Executable components are digitally signed before release.
Change tracking: All software releases are versioned and traceable through documentation.

7) Change Management

Environment separation: Development, test, and production environments are segregated.
Controlled rollouts: Software releases follow staged deployment with validation gates.

8) Customer Responsibilities

Scope Discipline

Select only the repositories, databases, or code objects you specifically intend to analyze with Visual Expert. Avoid granting access to unrelated or sensitive code repositories.

Secrets Hygiene

Avoid embedding secrets (passwords, API keys, tokens, certificates) in code submitted to VE AI. If secrets are discovered, rotate them immediately.

Access Control

Approve only necessary user accounts, review access regularly, and remove unused accounts.

AI Governance

Novalys can configure VE AI credits to zero for repositories where AI analysis should not be used. You can also block outbound traffic to AI service endpoints.

Outbound Policy

Implement allow-listing and egress controls as per the Architecture & Network document to ensure only authorized Visual Expert traffic leaves your network.

Data Lifecycle

Request deletion of Project Context elements when no longer needed or upon service agreement termination.

9) Admin Hardening Checklist

Accounts & Authorization

Maintain a documented list of all approved Visual Expert user accounts.
Remove unused or inactive accounts promptly.
Enforce least privilege for repository and database access.

AI Usage Controls

Allocate VE AI credits only to teams with legitimate need.
Request Novalys to set AI credits to zero where AI features must not be used.
Optionally block outbound traffic to AI service domains.
Communicate guidance: VE AI is triggered only through predefined UI controls and submits minimal code excerpts.

Network & Egress

Apply domain allow-listing and outbound rules as per the Architecture & Network document.
Ensure firewalls and proxies do not break TLS certificate validation.

Source Hygiene

Use Visual Expert's scanning features to detect embedded secrets before enabling AI usage.
Establish a policy to remove sensitive data from code comments before AI submission.

Security & Hardening — FAQ

S1. What does VE access in our environment?: Visual Expert accesses only code and database object definitions that you explicitly select for analysis.
S2. Does VE modify our code or databases?: No. Visual Expert operates in read-only mode and does not modify your code or databases.
S3. What data leaves our environment when using VE AI?: Only a predefined macro request and a minimal code excerpt necessary for your analysis are transmitted.
S4. Is anyone but us allowed to view our excerpts or outputs?: No. Access is limited to your users unless you authorize Novalys support staff.
S5. Are inputs or outputs used to train AI models?: No. Inputs and outputs are not used to train or fine-tune AI models.
S6. How is data protected in transit and at rest?: Data is protected with TLS encryption during transmission and AES encryption at rest.
S7. How is isolation enforced between customers and projects?: Isolation is enforced through tenant segregation in VE Cloud and project-level data silos.
S8. How long do you keep vulnerability fixes open?: Critical vulnerabilities: 7 days; High-severity: 30 days; others per policy.
S9. What are our responsibilities in the shared security model?: Limit analysis scope, avoid secrets in code, control access, and manage data deletion.

Glossary

AES: Advanced Encryption Standard — symmetric encryption for data at rest
API: Application Programming Interface — software communication protocols
DAST: Dynamic Application Security Testing — testing on running applications
DPA: Data Processing Agreement — governs data processing between parties
SAST: Static Application Security Testing — testing on source code
SDLC: Software Development Lifecycle — planning, creating, testing, deploying software
SIEM: Security Information and Event Management — systems analyzing security logs
TLS: Transport Layer Security — protocol for secure network communication