Security

Last updated: June 8, 2026 · Contact: [email protected]

Operator: DotOwl Pte Ltd, Singapore

1. Security Overview

Security is foundational to ClippyBot. We implement defense-in-depth measures across our infrastructure, application, and operations to protect your data and ensure service availability.

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3 with modern cipher suites. We enforce HTTPS for all API endpoints and web traffic. Certificate pinning is used for mobile applications.

2.2 Encryption at Rest

PostgreSQL databases are encrypted at rest using AES-256. Redis snapshots and R2 object storage are encrypted. OAuth tokens and API keys are encrypted with AES-256-GCM before storage. File uploads are encrypted in transit and at rest.

3. Authentication & Access

3.1 Password Security

Passwords are hashed using Argon2id with appropriate memory and iteration parameters. We never store plaintext passwords. Password resets require email verification and expire after 24 hours.

3.2 Two-Factor Authentication

TOTP-based two-factor authentication is available for all accounts. We recommend enabling 2FA for workspace owners and administrators. Recovery codes are provided during 2FA setup.

3.3 Session Management

Access tokens are short-lived (15 minutes). Refresh tokens are stored in HttpOnly, Secure, SameSite=Strict cookies. Sessions are invalidated on password change or account logout from all devices.

3.4 Role-Based Access Control

Workspaces support role-based access: owner, admin, member, viewer, and billing. Each role has defined permissions for data access, plugin management, and workspace settings. API keys are scoped to workspaces with optional expiration.

4. Infrastructure Security

4.1 Network Security

Our servers are protected by Cloudflare for DDoS mitigation, WAF rules, and bot management. Rate limiting is enforced per IP and per user. Internal services communicate via private networks. Ingress is restricted to HTTPS only.

4.2 Server Hardening

Servers run minimal operating systems with automatic security updates. SSH access is key-based only. Firewall rules restrict access to necessary ports. Log aggregation and monitoring detect anomalies. Containerized workloads run with least privilege.

4.3 Backups

Database backups are encrypted and stored in multiple geographically separated locations. Point-in-time recovery is available for the last 30 days. Backup restoration is tested quarterly.

5. Plugin & Code Security

5.1 First-Party Plugins

All first-party plugins are signed with Ed25519 signatures. The runtime verifies signatures before execution. Plugin manifests declare required permissions, and the system enforces them at runtime. Plugin updates are signed and verified.

5.2 Third-Party Plugins

Third-party plugins submitted to the community registry are reviewed for security before approval. Runtime behavior is monitored for anomalies. Suspicious plugins are automatically quarantined. Plugin crash logs are collected for security analysis.

5.3 Dependency Management

Dependencies are scanned for known vulnerabilities using automated tools. Security patches are applied within 72 hours of release. Critical vulnerabilities are patched within 24 hours.

6. Incident Response

We have a documented incident response plan:

  • Detection: Automated monitoring and alerting for security anomalies
  • Containment: Immediate isolation of affected systems
  • Investigation: Root cause analysis and impact assessment
  • Remediation: Patching and recovery
  • Communication: User notification within 72 hours if personal data is affected
  • Review: Post-incident analysis and process improvements

7. Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability:

  • Email [email protected] with details
  • Allow us 90 days to resolve before public disclosure
  • Do not access data that does not belong to you
  • Do not perform actions that could harm users or the service

We do not take legal action against researchers who follow these guidelines. We appreciate and acknowledge valid reports.

8. Compliance

We maintain compliance with relevant standards and regulations:

  • GDPR (General Data Protection Regulation) for EU users
  • CCPA/CPRA for California residents
  • PCI-DSS requirements for payment processing (via Stripe)
  • SOC 2 Type II (in progress) for security controls

9. Contact

For security-related inquiries or to report an issue:

  • Email: [email protected]
  • Postal: DotOwl Pte Ltd, Singapore
  • Response time: 24 hours for security issues