Security

Last updated: 2026-05-26

Your documents are sensitive data. Here's how we protect them. This document is honest — it describes the real state of things, not marketing.

Encryption

• In transit: TLS 1.2+ on every connection between frontend, API, background workers, and DB. HTTPS on all public domains. Certificates auto-renew via Let's Encrypt.
• Passwords: stored as bcrypt hashes (standard work factor). We have no access to plaintext passwords — not even in the database.
• API keys and secrets: stored only as environment variables on the production server, never committed to git history or source code.

Infrastructure

• Hosting: Hetzner Online GmbH, European Union (Germany / Finland). Hetzner data centers are ISO 27001 certified.
• DDoS / WAF: Cloudflare at the edge.
• Rate limiting on the API via nginx — protects against brute force and automated abuse.
• Isolation: production is separated from dev/staging; no shared credentials.

Access control

• Production server access via SSH keys only (password auth disabled).
• Staff access to user data is only granted following a user's own support request (e.g., to reproduce a bug).
• JWT auth tokens have a 24-hour TTL — users must sign in again after that.

Dependencies and updates

• Dependencies are pinned (lock files: pyproject.toml, package-lock.json).
• Security updates to libraries are applied at least monthly.

Logging and monitoring

• Structured logs via Loguru.
• Errors aggregated in Sentry — lets us respond quickly to issues.
• Logs do not contain: card numbers, plaintext passwords, or full document content. Only metadata (IDs, timestamps, operation status).

Vulnerability reporting

Found a security bug? Email help@chatscontrol.com with subject "Security". Please don't disclose publicly before we patch. We respond within 48 hours and fix critical issues as quickly as possible.

What we don't have yet (being honest)

We're a small team — some enterprise practices aren't in place yet. We're working on them:

• Disk encryption at rest: Hetzner server disks are not encrypted by default. That means Hetzner's technical staff theoretically have access to files — though Hetzner is contractually prohibited from looking. If this is critical for you, get in touch: we can discuss options (dedicated server with manual LUKS, on-prem deployment).
• Automated backups: not configured yet. Hardware failure could mean data loss since the last manual backup. We're working on this.
• SOC 2 / ISO 27001: no formal certification — these are aimed at much larger companies. Available on request: security documentation for vendor reviews.
• External penetration test: not yet performed.
• Bug bounty: no formal program, but vulnerability reports are taken seriously.