Security posture.
A consolidated reference for security review teams. The operational mirror, with live disclosure programme and security.txt, is at security.cloakapi.io.
1. Threat model in one paragraph
CloakAPI assumes the AI provider is an adversary. The architecture removes identifiable data on the customer device before the prompt is transmitted — in WebAssembly the customer can audit for the chat and browser extension, native Rust for the desktop app and the local proxy. The CloakAPI gateway is a blind token relay: it forwards only the tokens your device sends, never inspects or tokenises content on our servers, and never stores clear-text payload. Compromise of the gateway does not expose customer prompts or responses — there is no plaintext there to expose. Compromise of the AI provider exposes only the redacted, tokenised prompt.
2. Cryptography
Encryption-in-transit
- TLS 1.3 enforced everywhere; 1.2 declined.
- HSTS preload, max-age 63072000, includeSubDomains, preload.
- Certificate transparency monitoring on all *.cloakapi.io and signedreceipts.org names.
Encryption-at-rest
- LUKS2 + AES-256-XTS for block storage; per-volume keys held in HashiCorp Vault.
- Postgres column-level encryption (AES-256-GCM) for billing PII.
- Backups encrypted with
age(X25519 + ChaCha20-Poly1305); pull-only model from a separate trust domain.
Receipt-signing keys
- ECDSA P-256 receipt-signing root keys are generated and held in a software-isolated process (strict file-system and network isolation; never written to disk in plaintext) under Shamir 3-of-3 split custody. A dedicated HSM with an audited key ceremony is available on enterprise request; standard accounts use software-backed key material.
- Daily intermediate keys signed by the root; rotated every 24 hours.
- Shamir 3-of-3 quorum (CEO + CTO + ops-lead hardware tokens) required to unseal the root.
3. Identity & access
- Production access: hardware MFA (WebAuthn / YubiKey) only; passwords disabled for the production realm.
- Just-in-time elevation via tailnet ACLs; default-deny.
- Quarterly access review; auto-revoke on role change or 30-day inactivity.
- Customer-side: TOTP MFA at minimum; SSO (SAML 2.0 + SCIM) available to every account (in development; beta on request).
4. Software supply chain
- SLSA Level 3 build provenance for the gateway and desktop client.
- SBOMs published per release; reproducible builds for the verifier-cli.
- Dependency review on every PR; weekly automated
npm audit/cargo audit/pip-auditrun with auto-PR. - The supply-chain classifier blocks unapproved third-party images and license codes (operator policy, documented in the BLOCKED queue).
5. Network & perimeter
- Cloudflare WAF with managed-ruleset + custom rules; DDoS L3-L7.
- Public surfaces: cloakapi.io, app.cloakapi.io, demo.cloakapi.io, status.cloakapi.io, security.cloakapi.io, docs.cloakapi.io, signedreceipts.org.
- Tailnet-only surfaces: crm.cloakapi.io, mail.cloakapi.io backend, mailpit. These return 403 from the public Internet.
- Egress allow-list from production: only sub-processor endpoints listed in /legal/subprocessors.
6. Vulnerability management
- Continuous bounty programme at security.cloakapi.io.
- Penetration testing programme: scoped annual engagement begins on first enterprise customer request via reputable firm (e.g. Cobalt, Bishop Fox). Latest report status: not yet engaged.
- SLA: critical 24 h, high 7 d, medium 30 d, low 90 d. Tracked in the public hall of fame.
- Coordinated-disclosure policy with safe-harbour terms and a published response timeline.
7. Incident response
- Continuous automated alerting (error tracking + uptime monitoring) pages the on-call operator at any hour, including outside business hours.
- Customer notification within 48 h of confirmed personal-data breach (Art. 33).
- Public postmortem for SEV-3+ within 5 business days at status.cloakapi.io.
- Incident tabletop exercises and a full simulated-breach drill are run on a target quarterly / annual cadence respectively as we build operating history; we do not claim a completed drill record we do not yet have.
8. Audit attestations
| Framework | Status | Next milestone |
|---|---|---|
| GDPR Art. 25 (by-design) | Documented | Continuous |
| NIS2 readiness | Self-assessed compliant | Re-assess 2026-Q4 |
| HIPAA | BAA available on request | On request |
| PCI DSS 4.0 | Out-of-scope (Stripe-tokenised) | n/a |
9. Insurance
Cyber liability and errors & omissions (E&O) insurance: not currently carried. No policy is in force and no carrier engagement is under way today; see /legal/insurance for our coverage intent. No coverage amount is stated here until a policy is in force.
10. Reporting a vulnerability
Email security@cloakapi.io (PGP at security.cloakapi.io/pgp-key.asc) or submit via the disclosure form at security.cloakapi.io. We acknowledge within 24 hours.