erfa3ly
LoginGet started

Security at erfa3ly

We take security seriously. Here's how we protect your deployments, data, and infrastructure.

TLS 1.3 Encryption
AES-256 Data Protection
OAuth 2.0 Secure
Automated Backups
Container Isolation

Infrastructure Security

Deployment Isolation

Each deployment runs in an isolated Docker container with:

  • Dedicated CPU and memory limits
  • Network boundaries preventing cross-deployment access
  • Clean teardown on failure to prevent state leakage
  • No shared filesystem or resources between deployments

Container Security

  • Minimal base images (Alpine Linux) with reduced attack surface
  • No unnecessary system packages or tools
  • Regular security updates applied automatically
  • Vulnerability scanning on all base images
  • Non-root user execution inside containers

Network Security

  • TLS 1.3 for all connections (HTTPS only)
  • Automatic SSL certificate provisioning via Let's Encrypt
  • DDoS protection via Caddy edge layer
  • No public container ports (except HTTP/HTTPS through reverse proxy)
  • Firewall rules limiting internal network access

Application Security

OAuth Security

  • Industry-standard OAuth 2.0 flows for GitHub and Google
  • Securely scoped access tokens (read-only by default)
  • State parameter CSRF protection
  • Token encryption at rest using AES-256
  • Automatic token refresh for expired credentials
  • Secure token storage with rotation support

Repository Security

  • Read-only repository access (no write permissions)
  • Webhook signature verification using HMAC-SHA256
  • No permanent code storage (ephemeral build containers)
  • Git credentials never logged or exposed
  • Repository access revocable at any time via GitHub settings

Secret Management

  • Environment variables encrypted at rest (AES-256-GCM)
  • Separate encryption keys per environment
  • Build vs runtime separation prevents secret leakage
  • Audit logging for all secret access operations
  • No secrets in logs, error messages, or git history
  • Automatic secret rotation support for compatible services

Database Security

Managed Databases

  • Data encrypted at rest using AES-256
  • Data encrypted in transit using TLS 1.3
  • Automated daily backups with 30-day retention
  • Point-in-time recovery capability
  • Network isolation (no public internet access)
  • Only accessible from deployment containers in the same workspace

Access Control

  • Database passwords generated using cryptographically secure random generation
  • Connection strings encrypted in storage
  • Worker-only network access (no external connections)
  • No direct database access from outside the platform
  • Role-based access control for database operations

Backup & Recovery

  • Automated daily backups at 3:00 AM UTC
  • Backups stored in geographically separate location
  • Encrypted backups using AES-256
  • 30-day backup retention policy
  • One-click restore functionality
  • Disaster recovery procedures tested quarterly

Operational Security

Monitoring & Alerting

  • Real-time health checks for all deployments
  • Performance metrics tracking and anomaly detection
  • Automated alerting for degraded systems
  • Incident response procedures for security events
  • 24/7 uptime monitoring

Backup & Recovery

  • Daily automated backups for all managed databases
  • 30-day retention period with configurable extensions
  • One-click restore capability
  • Disaster recovery procedures
  • Geographic redundancy for critical data

Audit Logging

  • All administrative actions logged with timestamps
  • Deployment events tracked and auditable
  • Access attempts monitored for suspicious activity
  • 90-day log retention for compliance
  • Immutable audit trail for forensic analysis

Compliance & Best Practices

Standards & Frameworks

We follow industry best practices including:

  • OWASP Top 10Protection against common web vulnerabilities
  • CIS Benchmarks for DockerSecure container configuration
  • NIST Cybersecurity FrameworkRisk management and security controls
  • Regular security audits by third-party experts
  • Penetration testing performed semi-annually

Development Practices

  • Security code reviews for all changes
  • Dependency vulnerability scanning (Dependabot, Snyk)
  • Automated security testing in CI/CD pipeline
  • Principle of least privilege for all access
  • Regular security training for engineering team

Reporting Vulnerabilities

If you discover a security issue, please report it responsibly. We take all security reports seriously and will respond within 24 hours.

Email: security@erfa3ly.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Suggested remediation (if available)

We'll work with you on responsible disclosure and provide credit for the discovery (if desired).

Security Updates

Subscribe to security notifications to stay informed about:

  • Security patches and updates
  • Incident reports and resolutions
  • Scheduled maintenance affecting security
  • Best practices and security recommendations

Security notifications: security-updates@erfa3ly.com

Last updated: May 9, 2026