SECURITY ← Back to home
SECURITY

Security by design

DDSINTEL runs on a serverless edge architecture with defense-in-depth controls. No origin servers. No persistent disks at the compute layer. Every request authenticated.

Effective: April 23, 2026 Last updated: April 23, 2026 [email protected]
PILLARS

How we secure the platform

Edge-First Infrastructure

Entire platform runs on Cloudflare Workers with no traditional origin servers.

DDSINTEL runs on Cloudflare Workers distributed across 330+ edge locations worldwide. There are no traditional origin servers to attack — there is no shell, no long-running process, and no persistent disk at the compute layer.

All requests terminate on Cloudflare's network and are served from the nearest data center to the user. This architecture eliminates entire classes of attacks (SSH brute-force, unpatched OS CVEs, hypervisor escapes) that plague conventional VPS-based SaaS deployments.

Encryption Everywhere

TLS 1.3 in transit, AES-256 at rest. Keys rotated on a fixed schedule.

Every byte of traffic is encrypted in transit with TLS 1.3 using modern cipher suites. Certificates are provisioned and renewed automatically via Cloudflare. HSTS is enforced with preload, and legacy TLS versions are disabled.

All persistent data is encrypted at rest with AES-256. Database connections use mutual TLS. Secrets and API keys are stored in Cloudflare Secret Store — never in code, logs, or environment files.

Zero-Trust Access Control

Every request authenticated and authorized. MFA mandatory for operators.

Every API request is authenticated via signed, scoped API keys. Every dashboard session is backed by short-lived JWT tokens with refresh rotation. Row-Level Security policies enforce tenant isolation at the database layer — not merely in application code.

Mandatory WebAuthn/passkey MFA for all operator accounts. Session privilege escalation requires re-authentication. All operator actions are immutable-logged with actor, timestamp, and change set.

Continuous Monitoring

Real-time anomaly detection, immutable audit logs, automated incident response.

Request patterns, authentication events, and data-access operations are streamed into our observability pipeline in real time. Automated rules flag anomalies — unusual geography, off-hours access, sudden query-volume spikes — and trigger tiered alerts to the on-call engineer within seconds.

Audit logs are append-only, cryptographically signed, and retained for 13 months. WAF rules mitigate common web attacks, and rate limits are tuned per endpoint to absorb volumetric abuse without degrading legitimate traffic.

Secure Development Lifecycle

Every change reviewed, tested, and scanned before it reaches production.

All code changes pass through mandatory peer review and an automated CI pipeline that runs static analysis (Semgrep), dependency vulnerability scanning (GitHub Advanced Security / Dependabot), secrets scanning (TruffleHog), and the full test suite before merge.

Deployments are immutable, versioned, and reversible in under 60 seconds. No production access without an audited CI path; no manual edits to running services.

Privacy-Preserving Design

Data minimization by default. No tracking cookies. No model training on customer data.

We collect the minimum information necessary to deliver the Services, retain it only as long as required, and document every retention window in our Privacy Policy.

No third-party advertising trackers. No cross-site behavioral profiling. Customer data is never used to train public large-language models or sold to data brokers.

COMPLIANCE

Standards & certifications

Our compliance posture reflects our operating model: a B2B platform that does not ingest patient PHI and processes data exclusively from public records and business-level sources.

SOC 2 Type II In progress

Audit window opens Q3 2026

GDPR Compliant

Standard Contractual Clauses in place

CCPA / CPRA Compliant

Do-Not-Sell honored by default

HIPAA Aware

No PHI ingested by design

PCI DSS Out of scope

Payments processed by Stripe

RESEARCHERS

Responsible Disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, please send a detailed report to [email protected]. Include steps to reproduce, impact, and any suggested remediation.

We commit to: acknowledging receipt within 48 hours, providing a substantive response within 5 business days, and publicly crediting reporters (with consent) in our security changelog.

Please act in good faith: do not access data beyond what is necessary to demonstrate the vulnerability, do not disclose publicly before we have had an opportunity to remediate, and do not test against live customer data.

We do not currently operate a paid bug-bounty program, but we offer swag and public acknowledgment for meaningful reports.

In scope
  • ddsintel.com and all subdomains
  • api.ddsintel.com
  • Authentication and authorization flows
  • API input validation
  • Public-facing Workers
Out of scope
  • Denial-of-service attacks
  • Social-engineering attacks against our staff
  • Physical attacks
  • Findings from automated scanners without a clear exploit path
  • Missing security headers without a demonstrable impact
Report a vulnerability [email protected]
Contact Security