The questions your security review will ask.

Where does our customer data live? Who else can see it?

On your infrastructure, full stop. Sutra is self-hosted on a server you control — a Plesk box, a Docker host, a Kubernetes cluster, anything that runs PHP and MariaDB. There is no SaaS tier, no shared multi-tenant cluster, no Sutra-operated copy of your data. Your CRM records never leave the network you put them on. We don’t see your customers; we don’t have a back-channel; there is nothing for us to subpoena.

How are sensitive values protected?

Sensitive settings — integration credentials, MFA secrets, API keys, SMTP and SES passwords — are encrypted at rest using libsodium’s crypto_secretbox (XSalsa20+Poly1305) before they are written to the database. The encryption key lives in a server-side environment file, not in the database. Transport encryption is your reverse proxy’s job — the standard Plesk / nginx / Cloudflare TLS stack — not something Sutra reinvents. Bulk record encryption is on the security backlog for a later milestone.

What auth options do you support?

Password authentication plus optional multi-factor: TOTP (authenticator app, no external service), email codes (via the same SES / SMTP integration the rest of the app uses), or SMS codes (via Twilio). Each user picks their method on the account Security tab; any enabled method satisfies the prompt. Single-use recovery codes act as the universal fallback. Changing a password always requires a verification code, MFA on or off.

SSO (SAML, Google Workspace, Okta) with SCIM provisioning is Coming on the M2.2 milestone and ships in the Business edition.

How is role-based access enforced? Can we scope what users see?

Sutra ships an ACL voter that runs on every read and write. Permissions are per-entity and per-action (read / create / update / delete) and can be scoped to own records, the team’s records, or all records. List queries are filtered at the SQL layer (you can’t accidentally leak rows by forgetting a filter in a controller); POSTs go through a voter check. Roles are managed in Admin; assignments live per-user. A territory / hierarchy ACL axis (continent → country → zone) is Coming on M2.0.

Can we prove who changed what, when? Can we recover from mistakes?

Every save writes a field-level diff to an append-only stream. Old and new values per field, picklist labels resolved, queryable as data. Nothing mutates in place; nothing silently overwrites. Any prior save can be restored without losing the intermediate history — and the restore itself is an audit event. This is the foundation the 21 CFR Part 11 plugin (electronic signatures, record lockdown, validation tracking) builds on; the foundation has shipped, the plugin Coming in Business.

Can we restrict where sign-ins come from?

Country access is shipped — an installation-wide allow/block list set by an admin, optionally tightened per user. The lookup runs entirely on your server against a local database (no third-party service, no API key — the database is a one-time download you refresh monthly). A trusted-proxies setting makes sure the visitor address is the one checked when you run behind Plesk, nginx, or Cloudflare. IP allowlists (admin-wide and per-user) and a Sessions & devices tab are Coming on the next Security milestone.

Can our security team review the code?

Sutra is GPL v3. The public repository opens at v1.0 GA — during the v1.0 beta, source is private while we iterate on potentially breaking interfaces. Beta access is available via the download form, and the Business edition includes early-access source review on request. There is no closed-source kernel and no obfuscated module; the open-core line is between Community features and Business features, never between “what you can see” and “what we hide”.

How do you handle security issues?

Report security issues via the contact form with topic Security; we aim to acknowledge within one business day during the beta and to publish advisories on the product timeline once a fix lands. A formal coordinated disclosure programme and a dedicated security@ address roll out with v1.0 GA; until then the contact form is the right channel. Business subscribers get a named contact for security escalations.

How do we get our data out if we leave?

Sutra runs on a standard MariaDB database that you operate. You have full mysqldump / SELECT access by definition; there is no proprietary store, no managed lock-in. A guided importer / exporter with column mapping, dry-run preview, and undo is Coming on M2.7 — useful both for inbound migrations from other CRMs and for portable exports.