v0.1 — review pending

Security

Last updated: 2026-05-07

Our principles

Security is the #1 pillar of rendfly. The product handles end-user PII inside conversations, customer system messages (intellectual property), and provider API keys (real-money access). The supreme rule: never trust the frontend. All authorization, validation, and tier-gating happen server-side; the SvelteKit frontend is purely UX.

Eight principles every change is judged against:

  1. Defense in depth — multiple layers, never one safeguard alone.
  2. Least privilege — minimum permission per service and per user.
  3. Secure by default — PII redaction, 2FA, and audit logging are on by default.
  4. Fail closed — when uncertain, refuse.
  5. Auditability — every sensitive access is logged immutably.
  6. Data minimization — short retention for raw PII originals.
  7. Threat-informed — designed against real attackers, not compliance theater.
  8. Transparency to customer — you can see what data is held and how.

Day-1 hard requirements

  • TLS 1.3 everywhere
  • AES-256-GCM at rest for sensitive columns (provider keys, system messages)
  • PostgreSQL row-level security on every multi-tenant table — scoped to workspace_id
  • Argon2id password hashing, short-lived (15 min) JWT plus refresh tokens
  • HttpOnly + SameSite=Lax cookies; CSRF protection on state-changing routes
  • PII redaction before storage
  • Prompt-injection mitigation in the judge (sandwich pattern with <rules> and <conversation> tags)
  • Per-workspace rate limiting
  • Immutable audit log for sensitive accesses
  • Secrets in Vault (or encrypted env in MVP-light)
  • Dependency and secrets scanning in CI (govulncheck, gitleaks)

Compliance roadmap

  • Day 1: LGPD (Brazil) and GDPR (EU) compliance.
  • Month 6: SOC 2 Type I.
  • Month 12: SOC 2 Type II.
  • Month 18+: ISO 27001.

Current status: SOC 2 in progress.

Reporting vulnerabilities

If you've found a security issue, please email security@rendfly.com. Include reproduction steps, affected endpoints, and your contact info. We acknowledge within 24 hours and aim to resolve high-severity issues within 7 days. We don't currently run a paid bug bounty, but we credit reporters publicly with their permission.