Security at Deloc

• All data is served over HTTPS with TLS 1.3. There is no option for unencrypted connections — .dev domains enforce HTTPS at the browser level.
• Static files are stored on Cloudflare R2 with encryption at rest. R2 buckets are private and accessible only through authenticated Cloudflare Workers.
• Application metadata is stored in PostgreSQL (Neon) with encryption at rest and encrypted connections.
• The API runs on isolated infrastructure with no shared tenancy.
• Cloudflare's global edge network provides DDoS protection and a Web Application Firewall on all served content.
• The Deloc platform and user-hosted apps run on separate domains. The application dashboard operates on deloc.dev while deployed apps are served from deloc.app. This domain separation provides complete cookie and origin isolation — uploaded content cannot access platform authentication or session data. Both domains enforce HTTPS at the browser level.

• Sign in with Google, Microsoft OAuth, or email and password. CLI and MCP authentication uses OAuth 2.0 with PKCE to protect the authorization code exchange.
• Session tokens are stored in HttpOnly, Secure, SameSite=Strict cookies. They are never exposed to JavaScript.
• JWT access tokens expire after 4 hours. Refresh tokens are rotated on every use.
• CLI and MCP authentication uses one-time authorization codes exchanged over HTTPS. Tokens are never passed in URLs.
• All passwords are hashed with bcrypt. We never store plaintext passwords.

• Password protection is available on all plans, including free.
• Email domain restriction limits app access to users whose email domain matches the app's allowlist (Pro Unlimited and above).
• Full OIDC/SAML SSO with your identity provider for Enterprise — Okta and Microsoft Entra App Gallery integrations available; any OIDC-compatible IdP supported.
• Role-based access control: Admin, Publisher, and Viewer roles with least-privilege defaults.
• SCIM provisioning for automated user lifecycle management (Enterprise).

• All uploaded content is scanned before deployment for known phishing patterns, crypto-miner fingerprints, unsafe inline scripts (eval, Function constructors), external form targets, and SVG script content.
• File type allowlisting ensures only safe web content types are served (HTML, CSS, JS, images, fonts, SVG, WASM).
• SVG files are served with Content-Disposition: attachment to prevent script execution.
• Zip bomb protection with extraction size limits and file count caps.
• Path traversal protection with multi-layer input sanitization and prefix verification.

Deloc Actions let a published app invoke server-side HTTP endpoints without shipping credentials to the browser. Because the call runs on our infrastructure with your stored secrets, we harden it on multiple layers.

• SSRF protection on every outbound request: HTTPS and port 443 only. DNS is resolved before the request fires and re-validated after every redirect hop. Organization accounts also enforce a per-org hostname allowlist; solo paid accounts fall back to the IP-range checks below.
• Blocked network ranges include IPv4 loopback, RFC1918 private ranges, link-local, CGN, multicast, and reserved space, plus the AWS, GCP, and Azure instance-metadata endpoints. IPv6 loopback, link-local, unique-local, and IPv4-mapped addresses are blocked equivalently.
• The outbound TCP connection is pinned to the pre-validated IP via a custom DNS lookup, so a hostile DNS response between validation and connect cannot redirect the socket to an internal host. TLS hostname verification still runs against the original host, so certificate checks remain intact.
• Action secrets and OAuth credentials are encrypted at rest with libsodium authenticated encryption (XSalsa20-Poly1305), a fresh per-row nonce, and versioned master keys to support rotation. Plaintext only exists in memory for the duration of a single outbound call.
• Every invocation enforces per-action timeouts, response size caps, and a content-type allowlist on the upstream response. Request variables are bound through a per-action allowlist — unexpected keys never reach the outbound request.
• The invocation endpoint requires a valid viewer session cookie and rejects cross-origin requests (Origin header must match the app's host). Actions can be gated to specific viewer roles.
• Each action enforces a configurable per-viewer-per-hour and per-app-per-hour invocation cap. Exceeding either returns a structured rate_limit error without hitting the upstream.
• Full invocation audit log: viewer identity, status code, latency, error type, and the submitted request body are recorded and retrievable for compliance review.
• Action-level variables are shared across all viewers of an app and should not contain personal data. Per-viewer submissions are stored in the invocation log.

• CSRF protection via double-submit cookie pattern on all state-changing endpoints.
• Rate limiting on authentication, deployment, and billing endpoints.
• Stripe webhook signature verification on all billing events.
• All database queries are parameterized through an ORM — no raw SQL.
• Input validation with schema enforcement on every API endpoint.
• Security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy) on all responses.

• We do not read, analyze, or access the content of your deployed files except for automated abuse scanning.
• You retain full ownership of everything you upload. We claim no intellectual property rights over your content.
• Free tier files are retained for 30 days after expiration. Paid tier files are retained for the duration of your subscription.
• Account deletion is immediate and irreversible: apps, files, tokens, and personal information are removed on request. Database backups held by our infrastructure subprocessors are retained and purged under their published retention policies.
• Subprocessors we rely on for infrastructure: Cloudflare (CDN, Workers, R2 storage), Neon (PostgreSQL), Railway (API hosting), and Stripe (billing). We do not share your data with any other third parties.

• Full audit logging of all administrative actions, deployments, and access changes (Team and Enterprise).
• Audit logs exportable as CSV for compliance review.
• GDPR compliant with data subject access and deletion rights.
• CCPA compliant.

• In the event of a security incident, affected users and relevant authorities are notified within 72 hours.
• Abuse reporting available at abuse@deloc.dev. Reports are reviewed within 24 hours.

• We welcome security researchers who help us keep Deloc safe.
• Report vulnerabilities to security@deloc.dev.
• We commit to acknowledging reports within 48 hours and providing a timeline for remediation.
• We will not pursue legal action against researchers acting in good faith.