Security at CurlyFry
CurlyFry is built with enterprise-grade security from the ground up. Your team's data is isolated, encrypted, and protected at every layer.
Encryption
AES-256 encryption at rest. TLS 1.2+ in transit. Audio recordings are processed and immediately discarded — only extracted text is stored.
Tenant Isolation
Every database query is scoped to your organization. Row-level isolation ensures no data leaks between customers. Ever.
Access Control
Role-based access (RBAC) with manager, engineer, and admin roles. JWT authentication with token rotation. Rate limiting on all endpoints.
Audit Logging
All data mutations are logged with user, timestamp, and action. Settings changes, data access, and admin operations leave a complete trail.
Infrastructure
- Hosting: DigitalOcean Managed Kubernetes (DOKS) with dedicated node pools
- Database: DigitalOcean Managed PostgreSQL 16 with automated backups, encryption at rest, and private networking
- Secrets: Kubernetes Secrets with RBAC-restricted access. API keys stored as platform-level encrypted settings, never in code or environment files
- Deployment: Helm-managed releases with pre-upgrade migration hooks. Zero-downtime rolling deployments
- TLS: cert-manager with Let's Encrypt for automatic certificate provisioning and renewal
Authentication
- Password policy: Minimum 10 characters, uppercase, lowercase, digit required. Common password blocklist enforced
- SSO: Google OAuth and Microsoft Entra ID via OIDC Authorization Code with PKCE
- Session management: JWT tokens with configurable expiration and refresh token rotation
- Webhooks: Jira webhook payloads validated via HMAC-SHA256 signature verification
API Security
- Rate limiting: Sliding-window rate limits per IP (10 requests/minute for auth endpoints, 120 requests/minute for API)
- Security headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Strict-Transport-Security, and Content-Security-Policy
- CORS: Explicit origin allowlist — no wildcard origins
- Input validation: Pydantic schema validation on all API inputs. SQL injection prevented by SQLAlchemy ORM
AI Data Handling
- Provider: Anthropic Claude — enterprise-grade AI with no data retention for training
- Processing: Meeting transcripts are sent to Claude for analysis. Anthropic does not use API data to train models
- PII sanitization: Chat signal data is sanitized (emails, phone numbers, @mentions stripped) before AI processing
- Token tracking: Every AI call is logged with model, token count, cost, and duration for full auditability
Data Retention
- Audio recordings are deleted immediately after transcription
- Chat signal message batches are hard-deleted per configurable retention period
- Account data is permanently deleted within 30 days of account cancellation
- Enterprise customers will have configurable retention periods (planned)
Compliance
We follow data protection principles consistent with GDPR and CCPA requirements. A Data Processing Agreement (DPA) is available for Enterprise customers upon request. SOC 2 Type I certification is on our roadmap.
Responsible Disclosure
If you discover a security vulnerability, please report it to security@curlyfry.ai. We take all reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities before we've had a chance to address them.