Skip to content
Security

Security is our foundation

Built from the ground up with security in mind. Your data is protected at every layer.

Encryption Everywhere

  • TLS 1.3 for all REST and gRPC connections
  • AES-256 encryption at rest for all stored data
  • Job payloads encrypted before storage
  • Database connections encrypted via SSL

Authentication & Authorization

  • API keys hashed with bcrypt before storage
  • JWT tokens with short expiration times
  • Scoped API keys per organization
  • Role-based access control for dashboard users

Infrastructure Security

  • Deployed on Cloudflare Workers with edge security
  • DDoS protection and WAF included
  • Isolated execution environments
  • Automatic security patches and updates

Data Isolation

  • PostgreSQL Row-Level Security (RLS) for complete isolation
  • Organization-scoped API keys
  • No cross-tenant data access possible
  • Audit logging for compliance requirements

Application Security

Our backend is written entirely in Rust, a memory-safe language that eliminates entire classes of vulnerabilities including buffer overflows, use-after-free errors, and data races. This isn't just a preference—it's a fundamental security decision.

  • No garbage collector pauses: Predictable performance under load
  • Compile-time safety: Most bugs are caught before deployment
  • Zero-cost abstractions: Security without performance penalty
  • Regular dependency audits: Automated scanning with cargo-audit

API Key Security

We treat API keys as sensitive credentials. Here's how we protect them:

  • Hashed storage: API keys are hashed using bcrypt with a high work factor before storage. We never store raw keys.
  • Prefixed keys: Keys use prefixes (sk_live_, sk_test_) for easy identification and environment separation.
  • One-time display: Full API keys are shown only once at creation time.
  • Instant revocation: Revoked keys are immediately invalidated across all systems.
  • Key rotation: Create new keys and revoke old ones without downtime.

Webhook Security

When delivering webhooks to your endpoints, we implement multiple security measures:

  • HMAC-SHA256 signatures: Every webhook includes a cryptographic signature you can verify.
  • Timestamp validation: Signatures include timestamps to prevent replay attacks.
  • TLS verification: We only deliver to HTTPS endpoints in production.
  • IP allowlisting: Enterprise customers can restrict webhook origins to specific IPs.

Compliance & Certifications

We're committed to meeting industry security standards:

  • GDPR compliant: Full data handling compliance for EU users
  • SOC 2 Type II: Audit in progress
  • HIPAA eligible: Available for healthcare customers on Enterprise plans
  • Data residency: Choose your data region (US, EU, Asia-Pacific)

Incident Response

In the event of a security incident:

  • Affected customers notified within 24 hours
  • Public disclosure within 72 hours for significant incidents
  • Post-incident reports published for transparency
  • Continuous improvement based on lessons learned

Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability:

  • Email: security@spooled.cloud
  • Include detailed reproduction steps
  • We respond within 24 hours
  • We do not pursue legal action against good-faith researchers
  • Credit given in our security advisories (if desired)

Need a Security Review?

Enterprise customers can request detailed security documentation, penetration test reports, and custom compliance assessments. Contact our security team at security@spooled.cloud.