Security

Last updated: 18 May 2026

StyloBot is built and operated by Mostlylucid Ltd. This page summarises the controls we apply across transport, storage, identity, secret handling, and supply chain. For the formal processing terms, see the Data Processing Agreement.

Transport

  • TLS 1.3 only on public endpoints.
  • HTTP Strict Transport Security (HSTS) with includeSubDomains.
  • Certificates are managed and rotated automatically by Caddy.

Storage

  • PostgreSQL with provider-managed encryption at rest.
  • Column-level encryption applied to billing email via ASP.NET Data Protection (see slice 7). The data-protection key used for column-level encryption is persisted to a filesystem path with restricted ACLs (operator responsibility) in production. Loss of this key makes the encrypted column unrecoverable; rotation policy is part of our deployment runbook.
  • Detection telemetry uses HMAC-SHA256 hashed signatures and PII-stripped user agents; no raw IPs are persisted.

Identity isolation

User passwords, MFA secrets, social-login tokens, and email verification flows live inside Keycloak, a separate service with its own database. The StyloBot application database has no users table. Every customer-scoped row references the Keycloak sub claim. A compromise of the application database leaks zero passwords.

Secret handling

  • OIDC client secret, invite HMAC key, license signing keys are sourced from environment variables.
  • No secrets are committed to source control.
  • Vendor public keys for license verification are compiled into the binary; never loaded from configuration.

Vulnerability disclosure

Report security issues to [email protected]. We acknowledge within 2 business days and aim to ship a fix within 90 days of report under a coordinated disclosure window. PGP public key available on request.

Supply chain (FOSS releases)

  • SLSA provenance attestations on every release. Verify with gh attestation verify.
  • sigstore-signed binaries (rekor-logged).
  • Debian repo signed via Cloudsmith.
  • Dependabot enabled on both the FOSS and commercial repositories.
  • All build logs public on GitHub Actions.