Security Policy

At SideFuel, security is foundational to the Relayers platform. As a webhook routing service, we handle sensitive data in transit and implement multiple layers of protection to ensure the confidentiality, integrity, and availability of your data.

1. Encryption

1.1 Data in Transit

• All API and dashboard connections are encrypted with TLS 1.2 or higher
• WebSocket tunnel connections use WSS (WebSocket Secure)
• Webhook deliveries to HTTPS endpoints use TLS
• HTTP Strict Transport Security (HSTS) is enforced with a 1-year max-age, includeSubDomains, and preload

1.2 Data at Rest

• Passwords are hashed using bcrypt with a cost factor that follows current best practices
• API keys are stored as SHA-256 hashes — plaintext keys are shown only once at creation
• Database encryption at rest is provided by our infrastructure provider

2. Authentication & Access Control

• JWT Tokens: Short-lived access tokens (15-minute TTL) with refresh token rotation
• API Keys: Prefixed tokens (wrk_) for programmatic access, stored as hashes, revocable at any time
• Multi-Tenant Isolation: Every database query is scoped by tenant_id. Cross-tenant access is architecturally impossible through the application layer
• Role-Based Access Control (RBAC): Four roles (owner, admin, member, viewer) with granular permissions
• Platform Admin Guard: Administrative operations require a separate platform admin flag, checked at the middleware level
• Device Authorization Flow: CLI authentication uses OAuth 2.0 Device Code flow — no password entry on untrusted devices

3. Infrastructure Security

• Rate Limiting: Sliding-window rate limiting on authentication endpoints and API routes to prevent brute-force and abuse
• Security Headers: X-Content-Type-Options, X-Frame-Options (DENY), Referrer-Policy, Permissions-Policy, and HSTS on all responses
• Input Validation: All API inputs are validated and sanitized. Maximum payload sizes are enforced
• Webhook Signature Verification: Inbound webhook signatures are verified when configured, preventing spoofed events
• Idempotency: Webhook deduplication prevents replay attacks and duplicate processing

4. Data Protection

• Automatic Data Retention: Webhook events and delivery attempts are automatically purged after the plan's retention period (7-90 days)
• Data Export: Users can export their data via the API at any time
• Account Deletion: Users can request permanent deletion of their account and associated data
• No Tracking: We use only essential cookies for authentication. No third-party tracking, analytics, or advertising cookies

5. Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities.

5.1 How to Report

If you discover a security vulnerability in the Relayers platform, please report it to:

• Email: security@relayers.app
• security.txt: /.well-known/security.txt (served by the API)

5.2 What to Include

• Description of the vulnerability and its potential impact
• Steps to reproduce
• Any proof-of-concept code or screenshots
• Your contact information for follow-up

5.3 Our Commitment

• We will acknowledge receipt within 2 business days
• We will provide an initial assessment within 5 business days
• We will not take legal action against researchers who follow this disclosure policy
• We will credit researchers (with consent) in our security advisories
• We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (typically 90 days)

6. Incident Response

We maintain an incident response process to handle security events:

• Detection: Automated monitoring, logging, and anomaly detection
• Assessment: Severity classification and scope determination
• Containment: Immediate steps to limit the impact
• Notification: Affected customers notified within 72 hours of confirmed incidents (as required by GDPR) and within a reasonable timeframe under LGPD
• Remediation: Root cause analysis and implementation of preventive measures
• Post-mortem: Documentation and process improvement

7. Compliance

Our security practices are designed to align with:

• LGPD (Lei Geral de Proteção de Dados) — Brazilian data protection law
• GDPR (General Data Protection Regulation) — EU data protection regulation
• ISO 27001 — Information security management (roadmap)
• OWASP Top 10 — Web application security best practices

8. Contact

For security questions or to report a vulnerability:

• Security team: security@relayers.app
• DPO: dpo@relayers.app

9. Related Documents

• Privacy Policy
• Terms of Service
• Data Processing Agreement (DPA)