Security
Each bot's data is fully isolated with PostgreSQL Row Level Security, and sensitive data is encrypted with AES-256-GCM. From encrypted transport to Cloudflare's edge defenses, we protect in layers.
Implemented Measures
Rather than dressing things up with fancy language, we simply list the measures we currently have in place — from traffic to data, with the right safeguard at each layer.
Traffic encrypted with TLS 1.3
Cloudflare WAF and DDoS Protection
Sensitive data encrypted with AES-256-GCM
Per-bot data fully isolated with RLS
All admin operations logged in audit
Implemented security measures
8 / 8
Encrypt traffic with TLS 1.3
Cloudflare DDoS Protection
Cloudflare WAF
SSL mode: Full (Strict)
HMAC request signature verification
Encrypt sensitive data with AES-256-GCM
PostgreSQL Row Level Security
Audit log for admin operations
Defense in Depth
Client, edge, application, and database — each layer has a distinct safeguard. If one layer is breached, the next stops it.
Defense-in-depth architecture
Client
TLS 1.3
Encrypts traffic between browsers / API clients and our servers.
Edge
Cloudflare
WAF, DDoS Protection, and Edge protection. SSL mode is Full (Strict).
Application
HMAC signing
Important API requests are signed with HMAC so we can detect tampering.
Database
AES-256-GCM + RLS
Sensitive data encrypted with AES-256-GCM. Per-bot data is also isolated with PostgreSQL Row Level Security.
Audit log
Current retention: 7 days
14:32:01
admin@botshade
bot.deploy
Bot 'WelcomeBot'
14:31:45
user_8f2k
variable.update
welcome_count = 3,421
14:30:22
user_7b1m
permission.denied
Attempted access to another bot's resources
14:29:58
edge
request.blocked
Blocked by Cloudflare WAF
14:28:30
system
backup.complete
06:00 JST snapshot
Audit
Who did what, and when. Admin operations and security events are kept as an audit log. Logs are exportable per ID for incident investigation and post-mortems.
Records admin and security events
Exportable per ID
Current retention: 7 days
How It Works
Cloudflare-protected traffic
TLS 1.3 traffic is delivered via Cloudflare. WAF, DDoS Protection, and Edge protection are enabled, and SSL mode runs at Full (Strict). The origin side is locked to a Cloudflare origin certificate.
HMAC request signatures
Important API requests are signed with HMAC so we can detect tampering.
AES-256-GCM for sensitive data
Personal and sensitive data are stored encrypted with AES-256-GCM. Decryption keys are stored separately in a cloud secret manager.
Audit log + per-bot isolation
All admin operations are logged and exportable per ID (current retention: 7 days). Per-bot data is fully isolated with PostgreSQL Row Level Security and a composite primary key.
TLS 1.3
Traffic encryption
Cloudflare Full (Strict)
AES-256-GCM
Sensitive data encryption
Keys stored separately
HMAC
Request signatures
Tamper detection
7 days
Audit log retention
Per-ID export available
Responsible Disclosure
If you notice a security issue, let us know before exploiting or disclosing it. We respond in good faith to every report made in good faith.
01
Report it
Send reproduction steps and the scope of impact to the contact below.
02
We acknowledge
We review your report and confirm we've received it.
03
Investigate & fix
We assess the impact and fix by priority, keeping you posted.
04
Disclose & credit
After a fix, we publish details where appropriate — and credit you if you'd like.
Please don't affect other users' data or the service while testing. We won't pursue legal action for good-faith research reported responsibly.
Report to: help@botshade.com