Security Overview

At InkReef, security is a core part of how we design, build, and operate the platform. This page describes the technical and organizational measures we implement to protect your data.

This is a factual description of our current security practices. If you have questions or need additional details, contact [email protected].

Encryption

In Transit

All traffic to and from InkReef is encrypted using TLS 1.3, enforced by Cloudflare.
HTTP Strict Transport Security (HSTS) is enabled to prevent downgrade attacks.
API communications between services use encrypted channels.

At Rest

Stored credentials (API keys, integration tokens) are encrypted using AES-256-GCM with per-tenant encryption keys.
Database storage is encrypted at rest by Cloudflare D1's underlying infrastructure.
Object storage (artwork, design files) is encrypted at rest by Cloudflare R2.

Authentication

Password Hashing: All passwords are hashed using bcrypt with per-user salts. Plaintext passwords are never stored or logged.
Multi-Factor Authentication (MFA): TOTP-based MFA is available for all admin accounts. MFA adds a time-based one-time password (compatible with Google Authenticator, Authy, 1Password, etc.) as a second factor.
Session Management: Sessions are token-based with configurable expiration. Sessions can be revoked individually or globally.
Passwordless Portal: The customer portal uses email-based magic links for authentication, eliminating password-related vulnerabilities for end customers.
Account Lockout: Accounts are temporarily locked after repeated failed login attempts to prevent brute-force attacks.

Access Control

Role-Based Access Control (RBAC): The platform implements 8 distinct roles (Owner, Admin, Manager, Designer, Production, Sales, Accounting, Viewer) with 27 granular permissions controlling access to features and data.
Principle of Least Privilege: Each role is granted only the minimum permissions necessary for its function.
Team Management: Account owners can invite team members, assign roles, and revoke access at any time.
API Key Scoping: API keys can be created with specific permission scopes, limiting what actions automated systems can perform.

Data Isolation

Separate Databases: Each tenant's data is stored in its own dedicated Cloudflare D1 database. This provides physical data separation between tenants.
No Cross-Tenant Access: The platform architecture prevents any tenant from accessing another tenant's data. Database routing is enforced at the infrastructure level.
Isolated Object Storage: Design files and artwork are stored in tenant-scoped paths within Cloudflare R2, with access controls preventing cross-tenant file access.

Audit Logging

All administrative actions are recorded in an immutable audit log, including the user, action, target entity, timestamp, and IP address.
Audit logs capture: account changes, team member modifications, settings updates, data exports, login events, and permission changes.
Audit logs are retained for 12 months and are accessible to account administrators through the dashboard.
Platform-level audit logs (super admin actions, tenant provisioning, security events) are maintained separately.

Infrastructure

Cloudflare Workers: The platform runs on Cloudflare Workers, a globally distributed serverless compute platform. There are no traditional servers to patch or maintain.
DDoS Protection: Cloudflare's network provides automatic DDoS mitigation at layers 3, 4, and 7.
Web Application Firewall (WAF): Cloudflare's WAF protects against common web vulnerabilities (SQL injection, XSS, CSRF).
Global Distribution: The platform runs in data centers across the globe, providing low-latency access and automatic regional failover.
No Exposed Servers: The serverless architecture eliminates traditional server-level attack vectors (SSH, open ports, OS vulnerabilities).

Backups and Recovery

D1 Time Travel: Cloudflare D1 provides 30-day point-in-time recovery, allowing databases to be restored to any point in the last 30 days.
Data Export: Tenants can export their data at any time through the platform's built-in export features (CSV, JSON formats).
Disaster Recovery: The globally distributed architecture provides inherent redundancy. Data is replicated across Cloudflare's network.

Monitoring and Incident Response

Health Checks: Automated health checks monitor platform availability and performance.
Error Tracking: Application errors are captured and tracked with automated alerting for anomalies.
Uptime Monitoring: External uptime monitoring verifies platform availability from multiple locations.
Incident Response: Security incidents are investigated promptly. Data breach notifications are sent within 72 hours in accordance with GDPR requirements.
Vulnerability Management: Dependencies are regularly reviewed and updated. Security patches are applied promptly.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor.
InkReef never stores, processes, or has access to full credit card numbers. Card data flows directly from the user's browser to Stripe's servers.
Stripe handles PCI compliance, tokenization, and fraud detection.

Application Security

Input Validation: All user inputs are validated and sanitized server-side using a structured validation library.
Error Sanitization: Error messages are sanitized to prevent leakage of sensitive information (credentials, tokens, internal paths).
Rate Limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.
CORS: Cross-origin resource sharing is configured to allow only authorized origins.
Content Security Policy: CSP headers are configured to prevent XSS and data injection attacks.

What We Do Not Claim

We believe in transparency. The following are things we do not currently hold or claim:

We are not SOC 2 certified. Our architecture follows SOC 2 ready principles (access controls, audit logging, encryption, monitoring), and we intend to pursue certification as the platform grows.
We are not ISO 27001 certified.
We are not HIPAA compliant. The platform is not designed for processing protected health information.
We are not PCI DSS certified. Payment processing is handled entirely by Stripe, which is PCI DSS Level 1 certified. InkReef does not process or store cardholder data.

Responsible Disclosure

If you discover a security vulnerability in InkReef, we encourage responsible disclosure. Please report vulnerabilities to [email protected]. We will acknowledge receipt within 48 hours and work to address the issue promptly.

Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.

Contact

For security-related questions or to report a vulnerability:

Email: [email protected]
Privacy inquiries: [email protected]