Skip to content
CerebroChain
Sign in Start free trial

Security

Security posture, in plain language.

We're a young company. We don't have a SOC2 letter to wave at you. We do have controls in place — auth, encryption, audit log, rate limiting, secret rotation — and we're documenting them here as we ship. If you find something we missed, the vulnerability disclosure path is at the bottom of this page.

Data handling

  • Encryption in transit. TLS 1.2+ on every public surface, single certificate covering cerebrochain.com, www.cerebrochain.com, and app.cerebrochain.com, renewed via Let's Encrypt every 60 days.
  • Encryption at rest. The production database (MongoDB 8) lives on a DigitalOcean Premium SSD volume with full-disk encryption. Backups inherit the same encryption.
  • Tenant isolation. Every database write carries a tenantId; every query filter requires it. The middleware that loads req.tenant rejects any request whose subscription is suspended, expired, or read-only.
  • Single-region tenant. v1 keeps each tenant's data in a single region. Per-region residency is on the Enterprise plan; multi-region tenant deployment is on the Q3 roadmap.

Authentication and access control

  • Password hashing. bcrypt on every account, with strength rules enforced server-side (uppercase, lowercase, digit, special, 8-char minimum).
  • JWT sessions. Short-lived access tokens; refresh tokens rotated per session. Tokens are signed with a secret rotated 2026-04-26 and stored only server-side.
  • Google OAuth. Production-wired since 2026-04-26 as an alternative sign-in path. Consent is scoped to email + profile only.
  • Two-factor. TOTP-based 2FA is available via the /api/mfa route family — opt-in today, mandatory for Enterprise admins on request.
  • RBAC. Role + permission checks on every mutation. Cerebrix-mediated mutations require explicit operator approval before they fire.
  • Tier gating. Plan-tier-protected API routes (forecasting, drone mapping, SSO, scheduled exports) are checked server-side, not just in the UI. URL-bar bypass is not possible.

Application hardening

  • Security headers. Helmet + a custom CSP that whitelists only first-party origins, our payment processor, and analytics. X-Frame-Options: DENY on the console; iframe embedding is blocked.
  • Rate limiting. Per-route limiters on auth, MFA, password-reset, and the public Stripe checkout endpoint. Abuse circuits trip on repeated 4xx from a single IP / API key.
  • CSRF. Same-site cookies + token-based CSRF protection on cookie-authenticated surfaces. JWT-authenticated API calls are exempt by design.
  • Input validation. Every public route validates payload shape with a schema layer before any handler runs.
  • Stripe webhook integrity. Every incoming webhook is verified against the Stripe signing secret before any tenant state is touched.
  • WAF + DDoS. Cloudflare in proxy mode in front of the apex and app domains. Bot-management rules + automatic challenge on traffic anomalies.

Observability and audit

  • Audit log. Every authenticated mutation lands in the audit collection with actor, tenant, route, before/after diff, and Cerebrix thread reference where relevant.
  • Application logs. Structured JSON via Winston, retained on the production VPS with rotation. Sensitive fields (tokens, passwords, full webhook payloads) are redacted at the logger boundary.
  • Health endpoints. /health reports liveness; sub-system probes report MongoDB / Redis / RabbitMQ connectivity. We don't expose internal stack traces in error responses.

Dependency hygiene

  • npm audit on every CI run. Pipeline fails on high/critical vulnerabilities; medium and low are tracked weekly.
  • Pinned versions. Production deps are pinned with npm ci from the committed lockfile — no surprise transitive updates between deploys.
  • Secret scanning. Pre-commit hook runs a secret scanner on staged files; CI re-runs against the diff. .env, credentials, and live keys can't land in the repo.

Compliance status

  • SOC2 Type 1 — pre-engagement. Controls listed above are in place; formal audit not yet engaged. We'll publish the engagement timeline here when scoped.
  • GDPR / CCPA. Data export and deletion endpoints are in place; signed DPA available on request for Enterprise.
  • HIPAA. Not in scope for v1. We don't accept PHI on the platform.
  • Subprocessors. DigitalOcean (compute + storage), Cloudflare (CDN + DNS), Stripe (payments), Resend (transactional email), Google (OAuth identity for opt-in sign-in). Documented list available on request.

Vulnerability disclosure

Found something? We want to hear about it before anyone else does.

  • Email [email protected] with reproduction steps. Encrypted attachments welcome.
  • We commit to a first response within one business day.
  • Good-faith research that doesn't degrade service for other tenants is welcome — we won't pursue legal action.
  • We don't run a paid bug bounty yet. We do credit reporters in release notes when they want it.