-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecurity.html
More file actions
101 lines (78 loc) · 5.59 KB
/
Copy pathsecurity.html
File metadata and controls
101 lines (78 loc) · 5.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<!-- Favicons -->
<link rel="icon" href="/favicon.ico" sizes="any" />
<link rel="icon" href="/favicon.svg" type="image/svg+xml" />
<link rel="apple-touch-icon" href="/apple-touch-icon.png" />
<link rel="manifest" href="/site.webmanifest" />
<meta name="theme-color" content="#5c7a64" />
<title>Security — TangentFlow</title>
<meta name="description" content="TangentFlow security practices. No document data stored, TLS 1.3 encryption, EU-hosted infrastructure, and open-source auditability." />
<!-- Canonical -->
<link rel="canonical" href="https://tangentflow.com/security.html" />
<!-- Open Graph -->
<meta property="og:title" content="Security Practices — TangentFlow" />
<meta property="og:description" content="TangentFlow security practices. No document data stored, TLS 1.3 encryption, EU-hosted infrastructure, and open-source auditability." />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://tangentflow.com/security.html" />
<meta property="og:site_name" content="TangentFlow" />
<meta property="og:image" content="https://tangentflow.com/og-image.png" />
<!-- Twitter Card -->
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:title" content="Security Practices — TangentFlow" />
<meta name="twitter:description" content="TangentFlow security practices. No document data stored, TLS 1.3 encryption, EU-hosted infrastructure, and open-source auditability." />
<meta name="twitter:image" content="https://tangentflow.com/og-image.png" />
<link rel="preconnect" href="https://fonts.googleapis.com" />
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
<link href="https://fonts.googleapis.com/css2?family=Newsreader:ital,wght@0,300;0,400;0,500;1,400&family=Outfit:wght@300;400;450;500;600;700&display=swap" rel="stylesheet" />
<link rel="stylesheet" href="css/tangentflow.css" />
</head>
<body data-page="security">
<div id="site-nav"></div>
<main>
<!-- Hero -->
<section class="hero">
<div class="container">
<h1 class="heading-xl">Security Practices</h1>
</div>
</section>
<!-- Content -->
<section class="section" style="padding-top:0;">
<div class="container-narrow prose">
<h2>Overview</h2>
<p>TangentFlow is designed with security-first principles. The most important thing to know: <strong>we do not store your document data</strong>. Documents are generated in-memory, returned to you, and immediately discarded. There is nothing to breach because there is nothing to store.</p>
<h2>Architecture</h2>
<p>Documents are generated in-memory within isolated processes. PDF bytes are streamed directly back to the client and never written to disk. Each request is handled independently with no shared state between requests.</p>
<h2>Encryption</h2>
<p>All API traffic is encrypted via <strong>TLS 1.3</strong>. API keys are generated using cryptographically secure random bytes, ensuring they cannot be predicted or brute-forced.</p>
<h2>Authentication</h2>
<p>API access is authenticated via Bearer token API keys included in request headers. Keys can be revoked at any time through the dashboard. Revoked keys are rejected immediately — there is no grace period.</p>
<h2>Infrastructure</h2>
<p>TangentFlow is hosted on <strong>Hetzner Cloud</strong> in Germany, within the European Union. The application runs in Docker containers with a minimal attack surface — no unnecessary packages, no shell access, no root processes.</p>
<h2>No Data Retention</h2>
<p>Document schemas sent to the API and the generated PDF output are processed entirely in-memory. Nothing is logged, cached, or written to persistent storage. Once the response is sent, the data is gone.</p>
<h2>Rate Limiting</h2>
<p>Per-key rate limits are enforced to prevent abuse and ensure fair usage across all customers. Rate limits are configurable per pricing tier, and requests that exceed the limit receive a clear error response.</p>
<h2>Open Source</h2>
<p>The core library (<code>@upbrew/tangentflow</code>) is fully open source and available on GitHub. You can audit the code, review the algorithms, and verify that the library does exactly what it claims — nothing more.</p>
<h3>npm Provenance</h3>
<p>Published npm packages are cryptographically linked to their GitHub source via <strong>npm provenance</strong>. This means you can verify that any published version was built directly from the public repository, with no tampering in between.</p>
<h2>Vulnerability Reporting</h2>
<p>If you discover a security vulnerability, please report it responsibly to <a href="mailto:security@tangentflow.com">security@tangentflow.com</a>. For details on our disclosure process, see <code>SECURITY.md</code> in the GitHub repository.</p>
<h2>Compliance</h2>
<p>TangentFlow is <strong>GDPR-compliant by design</strong>. With no document data retention and all servers located in the EU, there is minimal data exposure by architecture rather than by policy alone.</p>
<ul>
<li><strong>GDPR</strong> — compliant (no data retention, EU servers, minimal data collection)</li>
<li><strong>SOC 2</strong> — planned for 2027</li>
<li><strong>ISO 27001</strong> — planned for 2027</li>
</ul>
</div>
</section>
</main>
<div id="site-footer"></div>
<script defer src="js/nav.js"></script>
</body>
</html>