Network Security

Antei is hosted entirely on modern cloud infrastructure and benefits from secure defaults enforced by providers such as Cloudflare, Render, Railway, and Xano. Our system architecture minimizes exposure and follows a zero-trust approach for internal access.

Infrastructure Providers

  • Cloudflare: Handles TLS termination, DNS routing, asset delivery (via R2), and DDoS protection
  • Render: Hosts services including PDF generation and background workers behind secure API layers
  • Railway: Powers utility functions, integration handlers, and background microservices
  • Xano: Manages the backend database, APIs, and data logic under scoped access control
  • Retool Cloud: Hosts the frontend user interface with secure API integration to Xano

Public Exposure Model

  • No Public Databases: Neither Xano, Railway, nor Render exposes database instances publicly
  • Controlled Ingress: All API calls go through scoped, authenticated endpoints
  • Edge Routing: Cloudflare ensures HTTPS enforcement and secure DNS routing globally

Access Control

  • Scoped API Keys: Internal services use API keys tied to organizations with strict permission boundaries
  • No SSH / Shell Access: Infrastructure is managed via platform dashboards with no shell or terminal-level access
  • Token Validation: All sessions are validated per user and organization context before data access is granted

Logging & Monitoring

  • Request Logs: API usage, background syncs, and webhook calls are logged in Xano and Render
  • Runtime Monitoring: Railway and Render provide service health and alerts for failure cases
  • Error Tracking: Failures in Workers and Xano endpoints are logged and reviewed internally

What We Don’t Claim (Yet)

  • No VPN tunneling or private mesh networking between services
  • No intrusion detection system (IDS) or SIEM
  • No IP allowlisting or network segmentation at runtime

Questions?

For infrastructure or routing details, contact security@antei.com.