Security and Data Protection

TapeAlert takes security and data protection seriously. This document outlines our security practices and how we protect your data.

Data Encryption

Encryption at Rest

We encrypt sensitive data at rest using AES-GCM encryption. This includes:

  • API Keys: All Tape API keys are encrypted before storage
  • Webhook Secrets: Custom webhook signature keys are encrypted
  • Integration Tokens: Tokens for third-party services like Linear

Encryption in Transit

All data transmitted to and from TapeAlert is encrypted using TLS. This includes:

  • Dashboard Access: All web interface connections
  • API Requests: All API calls to our service
  • Webhook Events: Data received from Tape
  • Notification Delivery: Data sent to notification destinations

Authentication and Access Control

Authentication Method

We use a secure, passwordless authentication system:

  • Email Verification: One-time verification codes sent via email
  • Limited Validity: Verification codes expire after 5 minutes
  • Session Management: Secure session tokens with 7-day validity

Access Control

We implement role-based access control:

  • Partner Isolation: Separation between partner organizations
  • Role-Based Access: Admin and user roles with different permissions
  • Session Expiry: Automatic session termination after 7 days

Infrastructure Security

Platform Security

TapeAlert is built on Cloudflare Workers, which provides:

  • Edge Deployment: Code runs on Cloudflare’s global network
  • DDoS Protection: Protection against distributed denial-of-service attacks through Cloudflare
  • WAF: Web Application Firewall through the Cloudflare platform

Database Security

We use Cloudflare D1 for data storage, which provides:

  • Access Controls: Access controls to database resources
  • Encryption: Data encrypted at rest (managed by Cloudflare)

Webhook Security

Webhook Verification

We verify the source of webhook events:

  • Unique URLs: Each webhook has a unique, unguessable URL
  • API Verification: Webhooks are verified against the Tape API

Outbound Webhook Security

For webhook forwarding, we provide:

  • HMAC Signatures: Optional HMAC-SHA256 signatures for payload verification
  • Custom Secrets: Custom signature keys for each destination

Data Handling

Data Minimization

We follow reasonable data handling practices:

  • Essential Data: We focus on collecting data needed for the service to function
  • Data Sanitization: Sensitive data can be redacted from webhook logs

Data Retention

Our data retention approach:

  • Notification Logs: Stored based on your plan’s configuration
  • Account Data: Retained as long as your account is active

Security Recommendations

To maximize the security of your TapeAlert account:

  1. API Keys: Use Tape API keys with minimal permissions
  2. Regular Rotation: Rotate API keys and tokens regularly
  3. Access Management: Remove users who no longer need access
  4. Webhook Verification: Use webhook signatures for forwarding
  5. Monitor Activity: Regularly review notification logs for unusual activity

Reporting Security Issues

If you discover a security vulnerability, please report it to:

Email: security@jmc.tools

We treat security reports with the highest priority and will work quickly to address any issues.