Security
How we protect your data and our infrastructure.
API Authentication
Bearer Token Authentication Active
- All authenticated endpoints require a Bearer token in the
Authorization header.
- API keys are generated as cryptographically random 256-bit tokens.
- Keys are hashed (SHA-256) before storage — we cannot retrieve your original key. If lost, generate a new one.
- Each key is scoped to a single tenant and subscription tier.
- Keys can be revoked instantly via the API or dashboard.
Webhook Security Active
- Webhook deliveries include an HMAC-SHA256 signature in the
X-Regime-Signature header.
- Each tenant receives a unique webhook signing secret at registration.
- Verify signatures server-side before processing webhook payloads to prevent spoofing.
Encryption
Data in Transit Active
- All API traffic is encrypted via HTTPS/TLS 1.2+ (TLS 1.3 preferred).
- TLS termination is handled by Cloudflare with automatic certificate management.
- HTTP requests are automatically redirected to HTTPS.
- HSTS headers enforce HTTPS for all subsequent requests.
Data at Rest Active
- Application databases use SQLite with WAL (Write-Ahead Logging) mode for data integrity.
- Sensitive configuration values (API keys, webhook secrets) are hashed before storage.
- Payment data is stored exclusively by Stripe and never touches our servers.
- Server disk encryption is enabled at the OS level.
Rate Limiting and Abuse Protection
Multi-Layer Rate Limiting Active
- Per-key rate limiting: Enforced per API key based on subscription tier (10/120/1000 RPM).
- Per-IP rate limiting: Unauthenticated endpoints have IP-based limits to prevent abuse.
- Daily quota enforcement: Free and Pro tiers have daily call limits (500/10,000).
- Automatic throttling: Exceeding limits returns HTTP 429 with
Retry-After header.
- Persistent abuse: Automated detection can temporarily suspend keys exhibiting abusive patterns.
What We Don't Store
No Sensitive Financial Data Active
Regime Intelligence is a read-only market intelligence API. We never ask for, receive, or store:
- Wallet private keys or seed phrases
- Exchange API keys or trading credentials
- Credit card numbers (handled exclusively by Stripe)
- Trading history or portfolio holdings
- Bank account information
Our API provides market data out. It never requires sensitive credentials in.
Infrastructure Security
Cloudflare Protection Active
- DDoS mitigation: All traffic passes through Cloudflare's global network with automatic DDoS protection.
- Web Application Firewall (WAF): Filters malicious requests before they reach our servers.
- Bot management: Automated abuse detection for credential stuffing and scraping attempts.
- Tunnel architecture: Origin server is not directly exposed to the internet. All traffic routes through Cloudflare Tunnel, eliminating direct attack surface.
Application Security Active
- Input validation on all API parameters to prevent injection attacks.
- Parameterized database queries (no string concatenation in SQL).
- CORS headers configured to prevent unauthorized cross-origin access.
- Dependencies monitored for known vulnerabilities.
- No server-side rendering of user input (XSS prevention).
- Automated security scanning: Semgrep static analysis runs on every push via GitHub integration, catching OWASP Top 10 vulnerabilities before deployment.
Data Minimization Active
- No customer data stored beyond email address and hashed API key.
- No payment data stored — all billing handled by Stripe (PCI-DSS Level 1).
- API usage logs retained for 30 days, then purged.
- No cookies or tracking pixels — analytics via privacy-first tools only.
Incident Response
- Security incidents are investigated within 24 hours of detection.
- Affected users are notified via email within 72 hours of a confirmed breach.
- API keys are rotated and reissued if key material is compromised.
- Post-incident reports are published for significant events.
Responsible Disclosure
We welcome security researchers who help us keep Regime Intelligence safe. If you discover a vulnerability:
- Email [email protected] with a detailed description of the issue.
- Include steps to reproduce the vulnerability.
- Allow us reasonable time (90 days) to address the issue before public disclosure.
- Do not access, modify, or delete data belonging to other users during your research.
We commit to:
- Acknowledging your report within 48 hours.
- Providing regular updates on remediation progress.
- Crediting researchers (with permission) in our security acknowledgments.
- Not pursuing legal action against researchers acting in good faith.
Compliance Roadmap
Current
- HTTPS/TLS encryption on all endpoints
- GDPR-aligned data rights (access, deletion, export)
- Stripe PCI DSS compliance for payment processing
- Privacy-focused analytics (Plausible, no cookies)
- Cloudflare DDoS and WAF protection
Planned Roadmap
- SOC 2 Type II — Planned when reaching $50K+ MRR. Will cover security, availability, and confidentiality trust service criteria.
- Penetration testing — Annual third-party penetration testing planned at $25K+ MRR.
- Bug bounty program — Formal program planned at $100K+ MRR.
Questions
For security-related questions or to report a vulnerability:
Email: [email protected]
General support: [email protected]