← HostingBrain
Security
The one-pager for vendor reviews — last updated 2026-07-04
Architecture
Serving infrastructure is physically separated from data production. The public endpoint is fronted by
Cloudflare (TLS 1.3, DDoS protection) and connected via outbound-only tunnel — the serving host accepts no
inbound connections and exposes no ports. The analytical dataset served is a read-only weekly snapshot;
production systems are never reachable from the public surface.
Authentication & authorization
- Access keys are stored as SHA-256 hashes only; shown once at issuance; revocable instantly.
- OAuth 2.1 with PKCE for AI-assistant connectors; opaque server-side tokens, revocation cascades from the key.
- Entitlements are checked server-side on every request — nothing trust-sensitive lives in tokens.
Data protection
- Answers are row-capped and rate-limited; the surface is designed for analysis, not extraction.
- Customer query subjects are confidential: never visible to other customers, never sold; parameters
reduced to theme-level aggregates after 90 days.
- Payment data (when launched) is handled entirely by Stripe — we never see card numbers.
Honest scope
We are a small, pre-launch product and say so: no SOC 2 yet, no formal certifications. What you get
instead is a minimal attack surface (one endpoint, read-only data, no inbound network path), current
patching, and a founder who answers security questions directly at [email protected].