Skip to main content
sylphx

Security

How we protect your data and how to report a vulnerability.

Reporting a vulnerability

If you discover a security issue, please contact us privately. We do not operate a public bug-bounty programme but we acknowledge every report and engage in good faith.

Email
[email protected]
security.txt
/.well-known/security.txt (RFC 9116)
Response SLA
Acknowledgement within 2 business days; triage within 5 business days; remediation timelines depend on severity (critical issues fixed within 14 days).

Safe-harbour terms

We will not take legal action or notify law enforcement against researchers who:

  • Make a good-faith effort to avoid privacy violations and service disruption.
  • Only access, modify, or destroy data belonging to themselves or test accounts.
  • Provide reasonable time to investigate and remediate before public disclosure (90 days minimum, sooner if mutually agreed).
  • Do not engage in social engineering of staff or customers.

Security posture

Encryption
TLS 1.3 in transit. AES-256-GCM at rest with envelope encryption (per-tenant data keys wrapped by a HSM-rooted master key).
Tenant isolation
Per-project Postgres pools; RBAC enforced at the SDK boundary; cross-tenant access blocked by `getProjectDbChecked` runtime guard (CI-enforced).
Audit trail
Every privileged mutation (token issue, deploy, secret change) is logged to a hash-chained audit table — tamper-evident and exportable for compliance review.
Supply chain
Dependencies pinned via lockfile; container images pinned by SHA-256 digest (never by tag); CI runs `bun audit` + secret-scan on every PR.
Workload identity
Platform-internal services authenticate via SPIFFE SVID mTLS (trust domain sylphx.local). HMAC fallback retained only for customer webhooks, deprecated for platform calls.
Secret hygiene
PII / tokens / passwords redacted from every log line via SSOT redaction set, enforced by negative-leak tests in CI.

Data handling

  • Region pinning: data stays in the region you select; cross-region replication only with explicit opt-in.
  • Backups: daily logical + continuous WAL streaming, encrypted at rest, retained 30 days.
  • Deletion: account-deletion request honoured within 30 days; backup copies purged within an additional 90-day rolling window.
  • Subprocessors: see current list (updated when changed; 30-day notice for material additions).

Compliance & standards

We design controls against SOC 2 Type II and follow industry standards (OWASP ASVS L2, CIS Benchmarks, NIST 800-53 Moderate). Formal attestation status is published on request to enterprise customers under NDA — email [email protected] to request the latest report.