← Back to home

Security

How we protect your compliance evidence

AES-256

Encryption at rest

TLS 1.2+

Encryption in transit

PBKDF2

Password hashing

SOC 2

Cloudflare infrastructure

Data Encryption

At rest: All files stored in Cloudflare R2 are encrypted using AES-256, the same standard used by banks and government agencies.

In transit: All data transmitted to and from ProofRepo uses TLS 1.2 or higher. We enforce HTTPS on all connections.

Infrastructure

ProofRepo runs entirely on Cloudflare's global network, which maintains SOC 2 Type II, ISO 27001, and other security certifications.

Component Provider Certifications
File storage Cloudflare R2 SOC 2 Type II, ISO 27001
Application logic Cloudflare Workers SOC 2 Type II, ISO 27001
Account & session data Cloudflare KV SOC 2 Type II, ISO 27001
Payments Stripe PCI DSS Level 1
Email delivery Resend TLS encryption, US-based

Authentication & Access Controls

ProofRepo uses two access models depending on the user role:

Auditor accounts:

  • Password security: Passwords are hashed using PBKDF2 with 100,000 iterations of SHA-256 and a unique random salt per account. We never store plaintext passwords.
  • Session tokens: Authenticated sessions use HMAC-SHA256 signed tokens with configurable expiration (1 day standard, 30 days with "remember me").
  • Constant-time comparison: Password verification uses constant-time comparison to prevent timing attacks.
  • Email verification: New accounts must verify their email address before sending evidence requests.

Client evidence uploads:

  • Signed URLs: Clients receive cryptographically signed links that grant access only to their specific evidence request. No account required.
  • Time-limited access: Download links expire after 72 hours. Upload links expire at the request deadline.
  • Scoped access: Each link provides access only to its specific submission.

Data Retention

We minimize data retention to reduce risk:

  • Uploaded files: Automatically deleted 90 days after submission
  • Request records: Deleted after 30 days
  • Account data: Retained until the user deletes their account
  • On-demand deletion: Auditors can delete submissions immediately via the Pack Viewer

File retention is enforced at the infrastructure level through Cloudflare R2 lifecycle rules — deletion happens automatically regardless of any application-level issues.

What We Don't Do

  • We don't access or view your uploaded files
  • We don't share data with advertisers or data brokers
  • We don't use tracking cookies or analytics services
  • We don't train AI models on your data

Responsible Disclosure

If you discover a security vulnerability in ProofRepo, please report it to [email protected]. Include steps to reproduce, potential impact, and any supporting evidence. Give us reasonable time to investigate before public disclosure.

Questions About Security?

We're happy to answer questions about how we protect your data.

[email protected]