Security Practices

1. Infrastructure Security

Ordalis runs entirely on Cloudflare's edge network, providing world-class infrastructure security without managing our own servers.

1.1 Cloudflare Edge Network

• Global presence: 300+ data centers across 100+ countries, ensuring low latency and geographic redundancy
• DDoS protection: Automatic mitigation of volumetric, protocol, and application-layer attacks
• Web Application Firewall (WAF): Protection against common web vulnerabilities including SQL injection, XSS, and CSRF
• Bot management: Detection and mitigation of automated abuse and credential stuffing

1.2 Compute and Storage

• Cloudflare Workers: Serverless compute with process-level isolation; no shared memory between requests
• Cloudflare D1: Distributed SQLite database with encryption at rest
• Cloudflare R2: Object storage with AES-256-GCM encryption for all stored files
• Cloudflare KV: Key-value store used for rate limiting with data isolation between accounts

2. Encryption

2.1 Encryption at Rest

All data stored on Ordalis infrastructure is encrypted at rest using AES-256-GCM:

• Document files stored in R2 are encrypted with AES-256-GCM
• Database records in D1 are encrypted at the storage layer
• Cached results are encrypted identically to primary storage

2.2 Encryption in Transit

All network traffic to and from Ordalis is encrypted with TLS 1.3:

• HTTPS is enforced on all endpoints — HTTP requests are automatically redirected
• TLS 1.3 is the minimum supported version; older protocol versions are rejected
• HSTS headers are set to prevent protocol downgrade attacks
• Internal service-to-service communication (e.g., Worker to R2, Worker to D1) is also encrypted

3. Authentication and Authorization

3.1 Password Security

• Hashing algorithm: PBKDF2-SHA256 with 600,000 iterations
• Salt: Unique, cryptographically random 128-bit salt per password
• Plaintext storage: Never — we only store the derived hash

3.2 API Key Security

• Generation: API keys are generated using a cryptographically secure random number generator
• Storage: Only a SHA-256 hash of each API key is stored — the full key is shown only once at creation
• Identification: A non-secret prefix (first 8 characters) is stored for key identification and management
• Revocation: API keys can be revoked immediately through the dashboard or API

3.3 Session Management

• JWT tokens: JSON Web Tokens are used for session authentication with configurable expiration
• Active session tracking: All active sessions are tracked and visible in account settings
• Session revocation: Individual sessions or all sessions can be revoked at any time
• Token rotation: Tokens are refreshed on a regular cadence to limit exposure windows

4. Audit Logging

Ordalis maintains comprehensive audit logs to track all significant actions within the system.

4.1 Events Logged

Category	Events
Authentication	Login attempts (success and failure), password changes, API key creation and revocation
Account	Account creation, plan changes, email updates, account deletion
Data Access	Document uploads, conversions, data exports, file downloads
Configuration	Schema creation and modification, webhook registration, settings changes
Administrative	Admin actions, user management, system configuration changes

4.2 Log Details

Each audit log entry includes:

• Timestamp (UTC)
• Actor (user ID or API key prefix)
• Action type and description
• Source IP address
• Request metadata (user agent, endpoint)
• Result (success or failure with reason)

4.3 Log Retention

Audit logs are retained for 90 days by default. Enterprise customers can configure extended retention periods for compliance requirements.

5. Data Retention and Auto-Cleanup

5.1 Default Behavior

• Source files: Deleted immediately after processing by default — we do not retain your original documents
• Extracted results: Cached for up to 90 days for performance, then automatically purged
• Metadata: Conversion metadata retained for 90 days for analytics and debugging

5.2 Configurable Retention

Enterprise customers can configure custom retention policies:

• Shorter retention windows for sensitive industries (healthcare, legal, finance)
• Extended retention for compliance or regulatory requirements
• Immediate deletion of all data upon request

5.3 Automatic Cleanup

Automated cleanup processes run continuously to ensure data is not retained beyond its configured retention period. All deletion is permanent and irreversible — deleted data cannot be recovered.

6. Access Controls

6.1 Per-User Isolation

All user data is logically isolated at the application layer:

• Users can only access their own documents, conversions, and account data
• API keys are scoped to the creating user's account
• Database queries enforce user-level access filters on every request
• R2 object paths are namespaced by user ID to prevent cross-account access

6.2 Role-Based Access

Ordalis implements role-based access control for administrative functions:

• User: Standard account with access to their own data and conversions
• Admin: Elevated privileges for platform management and user support

6.3 IP Allowlisting (Enterprise)

Enterprise customers can configure IP allowlists to restrict API access to approved network ranges. When enabled, requests from non-allowlisted IPs are rejected at the edge before reaching application code.

7. Rate Limiting

Rate limiting protects the platform from abuse and ensures fair resource allocation across all users.

Plan	API Requests	Conversions
Free	60/hour	5/month
Plus	600/hour	100/month
Pro	3,000/hour	500/month
Business	12,000/hour	2,000/month
Enterprise	Custom	Unlimited

Rate limit status is returned in response headers (X-RateLimit-Remaining, X-RateLimit-Reset) so clients can proactively manage their request cadence.

8. File Validation

All uploaded files undergo strict validation before processing:

8.1 Magic Byte Verification

File types are validated by inspecting the file's magic bytes (file signature), not just the file extension. This prevents disguised malicious files from being processed. For example, a .pdf file must begin with the %PDF magic bytes.

8.2 Integrity Checks

• File size validation: Files are checked against plan-based size limits before processing
• Content-type verification: The MIME type header must match the actual file content
• Malformed file detection: Corrupted or malformed files are rejected with descriptive error messages
• Archive scanning: Compressed files are inspected for zip bombs and recursive nesting

9. Webhook Security

Webhooks are used to notify your systems of asynchronous events (e.g., conversion completion). All webhook deliveries are cryptographically signed for verification.

9.1 HMAC-SHA256 Signatures

Every webhook delivery includes an X-Ordalis-Signature header containing an HMAC-SHA256 signature computed from:

• The raw request body (JSON payload)
• Your webhook signing secret (unique per webhook endpoint)

Your server should verify this signature before processing any webhook payload to ensure the request originated from Ordalis and was not tampered with in transit.

9.2 Delivery Security

• Webhooks are delivered over HTTPS only — HTTP endpoints are not supported
• Failed deliveries are retried with exponential backoff (up to 3 attempts)
• Delivery history is available in the dashboard for debugging and audit purposes

10. Session Management

• Active session visibility: Users can view all active sessions including device, IP address, and last activity time
• Individual revocation: Any session can be revoked independently without affecting others
• Bulk revocation: "Sign out all devices" terminates all active sessions simultaneously
• Automatic expiration: Sessions expire after a configurable inactivity period
• Login notifications: Users receive email notifications for logins from new devices or locations

11. Compliance

11.1 Current Compliance

• GDPR: Full compliance with the General Data Protection Regulation, including data export, deletion rights, and a Data Processing Agreement (DPA) for enterprise customers
• CCPA: Full compliance with the California Consumer Privacy Act, including right to know, delete, and opt-out

11.2 In Progress

12. Incident Response

12.1 Response Process

Ordalis maintains a documented incident response plan covering:

• Detection: Automated monitoring, alerting, and anomaly detection across all services
• Triage: Rapid severity classification and assignment to the appropriate response team
• Containment: Immediate isolation of affected systems to prevent further impact
• Eradication: Root cause analysis and removal of the threat
• Recovery: Restoration of normal service operations with verification
• Post-mortem: Documented analysis and implementation of preventive measures

12.2 Notification

In the event of a confirmed security incident that affects your data, we will:

• Notify affected users via email within 72 hours of confirmation
• Provide details of the incident, including what data was affected and what actions we are taking
• Report to relevant regulatory authorities as required by applicable law (e.g., GDPR, CCPA)
• Publish a post-incident report once the investigation is complete

13. Responsible Disclosure

We welcome reports of security vulnerabilities from the research community. If you discover a potential security issue, please report it responsibly:

• Contact: [email protected]
• Please include: A description of the vulnerability, steps to reproduce, and any supporting evidence
• Response time: We will acknowledge your report within 48 hours and provide a timeline for resolution
• Commitment: We will not pursue legal action against researchers who act in good faith and comply with responsible disclosure practices

14. Contact

For security-related questions, vulnerability reports, or compliance inquiries:

• Security team: [email protected]
• Privacy inquiries: [email protected]
• General support: [email protected]