HomeSecurity

Security

How we protect the platform, your data, and your users.

Last updated: June 2026

HMAC-SHA256 API Key Hashing

API keys are never stored in plaintext. Keys are hashed using HMAC-SHA256 with a server-side secret — computationally infeasible to reverse even with full database access.

TLS 1.3 In Transit

All API traffic and dashboard connections are encrypted with TLS 1.3. HSTS preloading is enforced with a 2-year max-age.

Row-Level Security

Every database table enforces Supabase Row-Level Security policies — customers can only access their own data, enforced at the database level, not just application code.

Signed Audit Chain

Every moderation decision and configuration change is written to an append-only signed audit log with hash chaining. No entry can be altered without detection.

No Cross-Cloud Hot Path

The moderation request hot path makes zero calls to third-party services. Auth tokens are validated against a local cache, not a cross-cloud round-trip.

Request Body Limits

All gateway endpoints enforce strict request body size limits (512KB for single requests, 5MB for batch) to prevent OOM attacks.

Infrastructure Security

HushSafe runs on AWS in a private VPC. The inference service is not exposed to the public internet — only the Go gateway has an external endpoint. Internal service communication uses shared secrets that are never committed to version control.

Redis (used for rate limiting and config caching) requires authentication and is bound only to the internal Docker network. Postgres connections use the Supabase transaction pooler with SSL enforced.

[Placeholder — add specific AWS region, VPC CIDR, and security group details.]

Application Security

All HTTP responses include security headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and a strict Content Security Policy.

The dashboard is protected by Supabase Auth with email verification. API keys displayed once and never retrievable. CORS is restricted to known origins on management endpoints.

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to security@hushsafe.com. We follow a 90-day coordinated disclosure policy. We do not pursue legal action against researchers who follow responsible disclosure guidelines.

A /.well-known/security.txt is available at hushsafe.com/.well-known/security.txt.

Compliance Posture

  • SOC 2 Type II — In progress
  • GDPR — Data processing agreements available, EU data residency option available.
  • EU DSA — Transparency reports generated per Article 15.
  • CSAM — Zero tolerance. Detected content is blocked and reported via NCMEC CyberTipline.

[Placeholder — update compliance status as certifications are obtained.]