Security

Data Protection

• All data is encrypted in transit using TLS.
• Passwords are hashed with bcrypt and never stored in plaintext.
• API keys are hashed (SHA-256) and never stored in plaintext.
• We only collect the minimum data required to operate the service.
• User identifiers used for feature flag evaluation are stored only when necessary for system functionality.
• We avoid logging sensitive information such as credentials or personal data. Logs are designed to exclude sensitive fields.

Authentication

• Secure authentication is used for user accounts.
• API keys can be revoked at any time from the dashboard.
• Role-based access control (RBAC) for organization members.
• Access to systems and data is restricted to authorized personnel only and follows the principle of least privilege.

Audit Logging

Flag changes, rule updates, and related actions are logged with user, timestamp, and action details for traceability.

Infrastructure

Our services run on secure cloud infrastructure with network isolation, access controls, and continuous monitoring. Systems are regularly updated and patched.

Incident Response

We have processes in place to detect, respond to, and communicate security incidents. Affected users will be notified when required and as appropriate.