Security

Effective Date: May 17, 2026  |  Last Updated: May 17, 2026  |  Version: 1.0

Overview

TitleMind.AI is built on Cloudflare's edge platform with defense-in-depth security baked into every layer. This page documents our public security posture; for a more detailed security review (SOC 2-equivalent), email [email protected].

Infrastructure

• Platform: Cloudflare Workers (compute), D1 (database), R2 (storage), KV (cache), Pages (frontend)
• No traditional VPS, EC2, or container infrastructure — eliminates an entire class of OS-level + container-escape vulnerabilities
• Global anycast network with built-in DDoS protection
• TLS 1.3 end-to-end; HSTS preload-eligible; modern cipher suite

Authentication + Access Control

• API keys (tm_live_* format) stored as SHA-256 hashes in D1 — even with full database access an attacker cannot recover plaintext keys
• 5-tier RBAC — READ / PARTNER / WRITE / ADMIN / STEWARD
• Restricted Stripe keys (rk_live_*) per scoped operation
• Inter-worker HMAC signing via INTER_WORKER_SECRET on all 10 mesh workers; rotated every 60 days
• OAuth 2.1 + PKCE for MCP server (S256 challenge)
• No long-lived passwords; all access is via short-lived bearer tokens or OAuth-issued JWTs

Data Protection

• In transit: TLS 1.3 to all endpoints
• At rest: Cloudflare R2 server-side encryption (AES-256); D1 encrypted at rest by Cloudflare
• Document content hashes: every uploaded document gets a SHA-256 content hash for tamper detection + deduplication
• No customer data shared with AI training pipelines — all LLM use is under no-training contracts with Anthropic + Google

Audit + Compliance

• Hash-chained audit log — every authenticated request writes a log entry whose signature includes the previous entry's hash. Detects tampering at log entry granularity.
• Audit chain integrity check runs every 5 minutes via cron; alerts on hash mismatch
• All secrets managed via Cloudflare Workers secrets (write-only after creation); never in source code or chat
• Pre-commit secret scanning via gitleaks blocks credential shapes from entering git
• Per-key rate limiting (configurable per tier) with X-RateLimit-* response headers

Network Posture

• Strict CORS allowlist: only titlemind.ai, vara-gis.pages.dev, and app.titlemind.ai
• Content Security Policy (CSP) on all pages: default-src 'self', no inline scripts, no eval, no third-party origins except an explicitly allowlisted font CDN
• frame-ancestors 'none' prevents click-jacking
• Stripe webhook signature verification via HMAC-SHA256 (Web Crypto, constant-time compare)

Vulnerability Management

• Continuous npm audit in CI; PR-blocking gates on high + critical advisories
• Allowlisted GHSAs are reviewed quarterly + tracked in outputs/_phase20/
• Quarterly dependency upgrade cycle on production workers
• Wrangler version pinned (3.114.17 except titlemind-container which uses v4.x for Cloudflare Containers)

Incident Response

• Monitoring: Sentry error capture across all production workers; cron-based health probes alert on degradation
• Disclosure: report security issues to [email protected]. We acknowledge within 24 hours and aim to remediate critical vulnerabilities within 72 hours.
• Customer notification: in the event of a data breach affecting your account, we will notify you within 72 hours per applicable law (TDPSA, CCPA, GDPR if applicable).

Backup + Recovery

• D1 daily snapshots retained for 30 days
• R2 object versioning retains the last 90 days of object revisions
• Disaster recovery RTO: 4 hours; RPO: 24 hours
• Wrangler-managed Worker code versioned with rollback to any prior deploy within 1 minute

Third-Party Subprocessors

See our Privacy Policy Section 4 for the complete list with data categories handled.

Reporting a Security Issue

Email [email protected] with subject "Security disclosure." Please do not file public bug reports for security issues. We do not currently offer a paid bug bounty but will recognize valid disclosures in our security hall of fame upon request.

Last Independent Audit

Pending. Roadmap: SOC 2 Type I in 2026 H2.