Security

Infrastructure

CrimeLayer runs entirely on Cloudflare's global network. We do not operate our own servers or data centers.

• Compute: Cloudflare Workers (edge runtime, 300+ global locations)
• Database: Cloudflare D1 (globally replicated SQLite)
• Cache / session store: Cloudflare KV
• Static content: Cloudflare Pages (CDN-backed)
• Telemetry: Cloudflare Workers Analytics Engine
• DDoS protection: Cloudflare's always-on DDoS mitigation
• WAF: Cloudflare Web Application Firewall with default ruleset

Encryption

• In transit: TLS 1.2+ with modern cipher suites on all endpoints
• At rest: Cloudflare D1 and KV encrypt data at rest using AES-256
• API keys: Stored as SHA-256 hashes in the database; raw keys are shown exactly once during creation

Authentication and Authorization

• User authentication via OAuth 2.0 (Google, GitHub, Apple) — we never store passwords
• Session management via JWT with short expiration windows
• API authentication via per-user API keys with plan-based rate limiting
• Admin endpoints restricted to an allowlisted operator email

What We DO NOT Collect or Store

• Payment details (handled entirely by Stripe)
• Request bodies or response bodies in logs
• IP addresses beyond the standard Cloudflare access log
• End-user tracking across the marketing site

Telemetry and Logging

The CrimeLayer monitoring worker records per-request metrics (endpoint path, HTTP method, status code, latency, plan tier, hashed API key ID) into Cloudflare Workers Analytics Engine. These metrics are retained for 30 days and used for anomaly detection, rate limit enforcement, and billing. No request or response bodies are logged.

Sub-Processors

A current list of sub-processors is maintained in the Privacy Policy.

Responsible Disclosure

If you believe you've found a security vulnerability in CrimeLayer, please report it to [email protected] before disclosing publicly. We will acknowledge your report within 48 hours and work with you on coordinated disclosure.

We commit to:

• Not pursuing legal action against good-faith security research
• Crediting reporters in a public acknowledgments list (unless you prefer anonymity)
• Fixing verified vulnerabilities before public disclosure

Incident Response

In the event of a security incident or data breach, CrimeLayer will notify affected customers by email within 72 hours of confirmation. Updates will also be posted to the Changelog and status page.

Compliance Roadmap

CrimeLayer is early-stage and does not currently hold formal compliance certifications. Our planned compliance roadmap:

• Already in place: GDPR + CCPA compatible data handling (see Privacy Policy)
• Q4 2026: Initial SOC 2 Type I assessment
• 2027: SOC 2 Type II certification

Enterprise customers can request a security questionnaire response and DPA by emailing [email protected].

Contact

Security questions or reports: [email protected]