API keys are never stored in plaintext. Keys are hashed using HMAC-SHA256 with a server-side secret — computationally infeasible to reverse even with full database access.
All API traffic and dashboard connections are encrypted with TLS 1.3. HSTS preloading is enforced with a 2-year max-age.
Every database table enforces Supabase Row-Level Security policies — customers can only access their own data, enforced at the database level, not just application code.
Every moderation decision and configuration change is written to an append-only signed audit log with hash chaining. No entry can be altered without detection.
The moderation request hot path makes zero calls to third-party services. Auth tokens are validated against a local cache, not a cross-cloud round-trip.
All gateway endpoints enforce strict request body size limits (512KB for single requests, 5MB for batch) to prevent OOM attacks.
HushSafe runs on AWS in a private VPC. The inference service is not exposed to the public internet — only the Go gateway has an external endpoint. Internal service communication uses shared secrets that are never committed to version control.
Redis (used for rate limiting and config caching) requires authentication and is bound only to the internal Docker network. Postgres connections use the Supabase transaction pooler with SSL enforced.
[Placeholder — add specific AWS region, VPC CIDR, and security group details.]
All HTTP responses include security headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and a strict Content Security Policy.
The dashboard is protected by Supabase Auth with email verification. API keys displayed once and never retrievable. CORS is restricted to known origins on management endpoints.
If you discover a security vulnerability, please report it responsibly to security@hushsafe.com. We follow a 90-day coordinated disclosure policy. We do not pursue legal action against researchers who follow responsible disclosure guidelines.
A /.well-known/security.txt is available at hushsafe.com/.well-known/security.txt.
[Placeholder — update compliance status as certifications are obtained.]