Security Overview

Last Updated: August 27, 2025

Data handling (demo)

Demo inputs should be synthetic. Demo input text is not stored; processing is limited to providing the evaluation experience. Logs record minimal usage metadata (see Privacy Policy).

Architecture & access control

• Role-Based Access Control (admin, viewer) with least-privilege enforcement for administrative access.
• Operator-controlled, containerized workloads and segregated services.

Encryption

• In transit: TLS 1.2+ enforced for all connections to infrastructure providers (Neon, Cloudflare R2, Upstash, Google Cloud).
• At rest: Provider-managed AES-256 (Neon, R2, Upstash, Google Cloud). Application-level AES-128-CBC is used for webhook secrets.

Secrets management

Secrets are stored in Google Secret Manager and injected as environment variables. Rotation cadence is operator-dependent.

Application security controls

• Rate limiting on sensitive endpoints.
• Regex timeouts to reduce ReDoS risk.
• SSRF protections on outbound requests/webhooks.
• Structured logging with redaction of sensitive fields.

Vulnerability management

Static analysis (Bandit) and dependency scanning (pip-audit) run on commits; critical issues are remediated prior to deployment.

Backups & disaster recovery

Operator-configurable, leveraging provider capabilities (e.g., Neon snapshots, R2 versioning). RTO/RPO targets are set by the operator/buyer.

Subprocessors & data location

• Neon (database) — AWS Europe West 2 (London)
• Cloudflare R2 (object storage) — Eastern Europe (EEUR)
• Upstash (cache & message broker) — eu-west-2
• Google Cloud (container registry & hosting) — europe-north1, europe-west1

Vulnerability disclosure

Report security issues to norrexit@gmail.com. A security.txt file is not currently published.

Compliance note

Measures are designed to meet GDPR Article 32 expectations for appropriate technical and organizational measures, proportionate to risk. See also our Compliance Pack.