Security

How we keep your infrastructure safe

Infrastructure

• Servers: Provisioned on Hetzner bare metal infrastructure in ISO 27001 certified data centers
• Network: DDoS protection included on all servers via Hetzner's network infrastructure
• API: Runs on Cloudflare Workers with automatic TLS, WAF, and global edge distribution

Authentication

• API tokens are generated server-side with cryptographically secure random bytes
• OAuth 2.0 via Google and GitHub for dashboard access
• Supabase Auth with PKCE flow for session management
• All API calls authenticated via Bearer token

Data Protection

• All connections encrypted in transit (TLS 1.3)
• Database hosted on Supabase with row-level security policies
• Server credentials never stored in plaintext after initial provisioning
• Root passwords shown once at deploy time, then discarded

Server Security

• SSH key authentication supported (recommended)
• Firewall configuration available via Hetzner Cloud
• Clean OS images (Ubuntu 24.04 LTS by default)
• No agents or monitoring software pre-installed

Reporting Vulnerabilities

Found a security issue? Email [email protected]. We take all reports seriously and will respond within 24 hours.

SOC 2 / Compliance

We're working toward SOC 2 Type II compliance. Our infrastructure providers (Hetzner, Cloudflare, Supabase) maintain their own compliance certifications.