Legal
Security
Last updated June 6, 2026
Security is built into the architecture, not bolted on. Here's how we protect your data and your Visitors'.
01Tenant isolation
Every table is protected by Postgres Row-Level Security. A workspace can only ever read or write its own sites, forms, counters, and submissions — enforced at the database layer, not just in application code.
02Embed authentication
- No public API keys in embed scripts — nothing sensitive ships to the browser.
- Each site has an origin allowlist; ingestion requests are rejected from unknown origins.
- Form submissions require a short-lived, single-use HMAC token (5-minute TTL).
- Webhooks are signed with HMAC-SHA256 (X-Devlune-Signature) so you can verify authenticity.
03Edge protection
Ingestion runs on Cloudflare's edge with per-IP, per-origin, and per-token rate limiting via Upstash. Forms are protected by an invisible honeypot and optional Cloudflare Turnstile, with no CAPTCHA friction for legitimate users.
04Data in transit & at rest
- All traffic is encrypted with TLS.
- Databases and object storage are encrypted at rest by our infrastructure providers.
- Secrets live in environment variables and secret managers — never in source control.
05Privacy by design
06Auditability
Workspace-scoped admin actions are recorded in an append-only audit log (actor, action, target, hashed IP/UA, timestamp) so account owners can review activity.
07Reporting a vulnerability
Found something? Please email security@devlune.in with details and steps to reproduce. We investigate every report and will keep you updated on remediation. Please don't publicly disclose until we've had a chance to fix it.
