Security

Password Security: All passwords are hashed using bcrypt with unique per-user salts. We enforce a minimum password length of 8 characters. Plaintext passwords are never stored or logged.

Multi-Factor Authentication: Users can enable TOTP-based MFA using any authenticator app (Google Authenticator, Authy, 1Password, etc.). When MFA is enabled, login requires both password and a time-based one-time code. Recovery codes (8 unique codes) are provided at setup, each usable once, and stored as SHA-256 hashes.

Session Management: JWT tokens expire after 24 hours. MFA partial tokens expire after 5 minutes. All sessions are stateless and validated on each request.

API Key Security: API keys use the prefix "rem_" for identification. Only a SHA-256 hash of each key is stored — the full key is shown once at creation and cannot be retrieved. Keys can be individually revoked at any time. Usage tracking records last-used timestamps and request counts.

Admin Separation: Administrative endpoints (pipeline management, user administration) require explicit admin role verification via a separate dependency chain.

Encryption in Transit: All connections use TLS 1.2 or higher. API endpoints, webhook deliveries, and external data source requests are encrypted end-to-end.

Encryption at Rest: Database storage uses AES-256 encryption. Backups are encrypted with separate keys.

Data Minimisation: We collect only the data necessary to provide the Service. Account data is limited to email, optional name, and hashed credentials. We do not collect device fingerprints, detailed browser data, or tracking cookies.

Content Deduplication: Ingested signals use SHA-256 content hashing (URL + title) to prevent duplicate processing and storage.

Audit Logging: All security-sensitive actions are recorded in an append-only audit log. Logged actions include:

• User registration and login attempts
• MFA setup, verification, and disabling
• API key creation and revocation
• Subscription and plan changes
• Password changes
• Administrative actions

Each audit entry records the user, action, IP address, timestamp, and relevant details. Audit logs are retained for 1 year.

Database: PostgreSQL with PostGIS extension, configured with connection pooling, parameterised queries (preventing SQL injection), and role-based access. The database is not directly accessible from the public internet.

Application: FastAPI with async-first architecture. All user input is validated through Pydantic schemas. CORS policies restrict allowed origins. Rate limiting is enforced per-user based on plan tier.

Dependencies: We use dependency lockfiles and regularly audit dependencies for known vulnerabilities.

Source Verification: The ingestion pipeline uses a 3-tier source reliability classification (government, industry media, OSINT). Source reliability scores influence project confidence ratings.

Extraction Versioning: All AI extractions are versioned by model version, creating new records rather than mutating existing data. This provides a complete provenance trail.

Pipeline Idempotency: Daily pipeline runs are tracked by date with idempotency checks to prevent duplicate processing.

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:

security@remtel.io

Please include a description of the vulnerability, steps to reproduce, and any potential impact. We commit to:

• Acknowledging receipt within 24 hours
• Providing an initial assessment within 72 hours
• Keeping you informed of remediation progress
• Not pursuing legal action against good-faith security researchers

We maintain documented incident response procedures. In the event of a confirmed data breach:

• Affected users will be notified within 72 hours
• Relevant supervisory authorities will be notified as required by law
• A post-incident review will be conducted and published

For security-related questions or to report a vulnerability:

security@remtel.io