Security overview

This page is the entry point for a security review of Driftstack. It links out to the concrete controls + policy pages; this document is a map, not an exhaustive specification. For the contract-grade detail (SOC2 reports, pen-test summaries) reach out to [email protected].

Data handling

• At rest: All customer data in Postgres is on encrypted volumes (managed by Neon). API key plaintext is never stored — keys are hashed with scrypt (logN=15) at mint time. OAuth client secrets are similarly hashed before storage. MFA seeds are AES-256 encrypted with a key from the MFA_ENCRYPTION_KEY env, never written in plaintext.
• In transit: TLS 1.2+ enforced on every public endpoint. HSTS is set with max-age=63072000; includeSubDomains; preload — see API security headers for the full set.
• Object storage: Customer-generated artefacts that land in Cloudflare R2 use server-side encryption (S3-SSE); underlying objects are never publicly listable. Session recordings are a roadmap item — see /docs/recordings for status.
• Profile state: Per-profile browser state (cookies, localStorage, IndexedDB) lives in the WebKit driver layer as per-profile encrypted files on disk (EU host). The Postgres profile row holds metadata only — name, archetype, description.

Authentication + authorization

• Customer keys are scoped: read / write / account_owner. We default to least-privilege; the dashboard's "create key" flow defaults to read with an explicit checkbox to widen.
• MFA (TOTP) is available for every account and required for any operation we classify as "sensitive" — see the dashboard for the per-account toggle. We re-prompt for MFA after 15 minutes of step-up inactivity.
• Admin actions are gated behind a separate driftstack_internal_admin scope that no customer key can hold. See /docs/admin-api for the surface.
• Every login event + every key mint/revoke is captured in the account audit log (V-074); customers can self-serve a full log export.

Network + infrastructure

• Driftstack runs primarily in the EU (Hetzner Falkenstein / Nuremberg). Customer-facing API endpoints are served from the EU region today; multi-region routing is on the roadmap. See /docs/data-residency for the region-preference account field and the planned PoP expansion.
• Postgres is managed by Neon (EU) with point-in-time recovery. Object storage (R2) is geo-replicated across Cloudflare's EU + US regions; presigned access is location-agnostic.
• Customer data egress to non-EU regions is restricted to the subprocessors enumerated below and on the sub-processor list. See /docs/data-residency for the per-category breakdown.
• Rate-limiting is enforced application-side via token buckets (per-account + per-IP); see /docs/rate-limits for the bucket model. DDoS absorption is handled at the CDN edge.

Browser sandbox

• Driftstack does not execute customer-supplied script bodies server-side — the API surface is action-based (navigate / interact / wait / capture). Arbitrary script eval is intentionally not exposed.
• Each session is one isolated WebKit instance backed by an ephemeral context; cross-session state never bleeds. Persistence between sessions only happens via the customer-managed profile mechanism (encrypted browser state on the driver host, EU).
• Concurrent-session caps per tier act as the primary cost-control + abuse-mitigation primitive; exceeding the cap returns 429 with the concurrency-limit RFC 7807 type.

Sub-processors

A full sub-processor list with a description of what each receives is available at /legal/sub-processors. The shortlist as of 2026:

• Stripe (card billing only — no payment data touches our infra)
• NowPayments (crypto checkout)
• Cloudflare (CDN, WAF, R2 object storage)
• Postmark (transactional email)
• Sentry (engineering error monitoring; PII-scrubbed at SDK level)

We publish 30-day notice before adding or rotating a sub- processor. Enterprise contracts can opt into the announcement mailing list at announcements@.

Audit + observability

Three log streams are customer-readable:

• Account audit log — every mutation on your account (key mints, profile changes, billing events).
• Session logs — per-session navigation + console output retained per tier.
• Cost ledger — every billable event, queryable via the API.

Incident response

See /docs/incident-policy for the disclosure timeline + the status page cadence. Security-relevant incidents are disclosed within 72h of confirmation; we do not bury exposure events.

Vulnerability reporting

Email [email protected] with the details. We respond within 1 business day. Our vulnerability disclosure policy covers safe-harbour for good-faith research; please review it before testing.

Related

• Data residency
• Admin API + scope
• Incident policy
• Audit log
• Sub-processors