Security

1) Overview

NodeCrest is built with a security-first approach. This page summarizes our current controls and the way we handle reports.

2) Responsible Disclosure

• Report suspected vulnerabilities privately to [email protected].
• Avoid data destruction, exfiltration, or service disruption. Use test accounts where possible.
• We’ll acknowledge within a reasonable time, keep you updated, and notify when fixed. Safe-harbor applies to good-faith research.

3) Data Protection

• Transport: All traffic over HTTPS/TLS. HSTS enforced on primary domains.
• Storage: Credentials stored as salted password hashes; no plaintext passwords.
• Secrets: Environment-scoped secrets; least-privilege access.
• Isolation: Logical separation between environments (prod vs non-prod).

4) Account Security

• Authentication: Email+password and supported SSO providers (e.g., Discord, Minecraft).
• Password policy: Minimum length; hashing with modern algorithms; reset links time-boxed.
• Multi-Factor: We support adding additional factors where available; we recommend enabling them.
• API keys: Scoped to user/workspace; rotate on suspicion of compromise.

5) Sessions, Logs & Monitoring

• Sessions: HttpOnly cookies; configurable TTL; server-side invalidation on logout and revoke-others.
• IP & UA: Stored with sessions to help detect unusual activity.
• Logging: Access and error logs retained for a limited window for security and diagnostics.
• Monitoring: Uptime and basic anomaly detection on critical paths.

6) Backups & Disaster Recovery

• Regular encrypted backups of core data stores.
• Periodic restore tests to validate recovery procedures.
• Documented RPO/RTO targets for critical services.

7) Vulnerability Management

• Dependency updates and security advisories tracked continuously.
• Critical issues patched with priority; lower severity issues in scheduled cycles.
• Pre-deployment checks (linting, CI, basic SAST) and targeted reviews for sensitive code paths.

8) Third-Party Services

We rely on select providers (e.g., hosting, CDN, email, payments). Each is reviewed for security posture and subject to contractual safeguards.

9) Data Retention & Deletion

• We keep personal data only as long as necessary for operation, support, legal obligations, and dispute resolution.
• Account owners may request deletion; certain records may be retained where required by law or for fraud prevention.

10) Physical & Infrastructure

• Production systems run in secured data centres with industry-standard controls (power, cooling, access management).
• Access restricted to authorized personnel; actions are logged.

11) Compliance & Regions

We aim to align with applicable privacy/security laws in the regions where we operate. Data may be processed in multiple jurisdictions as described in our Privacy Policy.

12) Incident Response

• Defined triage and escalation for suspected incidents.
• Containment, remediation, and post-mortem with follow-up actions.
• Where required, we notify affected users and/or authorities.

13) Contact Security

Email: [email protected]

Status page (uptime & incidents): https://status.nodecrest.com/ (if available).