Security

Account & authentication

Passwords are hashed with bcrypt (cost factor 10+) and never stored or transmitted in plaintext. Password-reset tokens are single-use and expire within one hour. Sign-in supports Google and GitHub OAuth in addition to email/password. Admin accounts can enable TOTP-based two-factor authentication; backup codes are issued at enrollment and one-time-use.

Sessions live in HTTP-only, Secure, SameSite=Lax cookies signed with NEXTAUTH_SECRET. Sessions are tied to the JWT issued by NextAuth — invalidating the server-side cookie revokes access.

Data at rest and in transit

All traffic between your browser and CloudPath is encrypted via TLS 1.2+ with HSTS preload (max-age 1 year, includeSubDomains). The application sets Strict-Transport-Security, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, a baseline Content-Security-Policy, and a Permissions-Policy that disables camera, microphone, and geolocation site-wide.

User data lives in AWS RDS Postgres with storage-level encryption (KMS) and automated daily backups. Static assets and avatars sit in S3 buckets with server-side encryption and bucket-policy access controls. Secrets (Stripe, Anthropic, OpenAI, Resend) are stored in environment variables injected at task-definition time — not committed to git or logged.

Your AWS account, our grader

When you connect your AWS account to verify hands-on assignments, you deploy our CloudFormation Quick-Create template which creates a read-only IAM role in your account with the AWS-managed ReadOnlyAccess policy. Our grader assumes that role with a per-user ExternalId for confused-deputy protection and a MaxSessionDuration of one hour.

Every assume-role we make appears in your CloudTrail under our account ID + the session name cloudpath-verify-{your-id}. We can never modify or delete anything in your account; you can revoke our access any time by deleting the CloudFormation stack. We retain a log of every check we run and the AWS API response for dispute resolution.

Payments and PII

Payments are processed by Stripe. CloudPath never sees, stores, or transmits card numbers, CVC codes, or full bank details — Stripe Elements collects them directly. We store only the Stripe Customer ID and a redacted last-4 / brand for receipt rendering.

Analytics (PostHog) operates in identified-only mode and runs query-string scrubbing for known PII parameters (email, token, password, phone, ssn) before any event leaves the browser. Cookie consent gates analytics + payment-fraud cookies; essential cookies (sign-in session, CSRF) are exempt per ePrivacy.

Vulnerability disclosure

If you find a security issue, please email security@cloudpathportal.com with as much detail as you can share — reproduction steps, affected URL, expected vs actual behaviour. We'll acknowledge within 2 business days and keep you posted on remediation. We don't currently run a paid bug-bounty program but will publicly credit anyone who responsibly reports a valid issue (with your consent).

Out of scope: denial-of-service against the platform, social engineering of our staff, physical security, and findings that require us to disable security controls before they fire.

Incident response

If we discover an incident that may have affected user data, we will: (1) contain it within 24 hours of detection, (2) notify affected users via the email on file within 72 hours of confirmation, and (3) publish a post-mortem describing what happened, what we changed, and the impact window. Material incidents will be reported to applicable supervisory authorities as required by GDPR Article 33 / state-level US breach-notification laws.

Compliance posture

CloudPath is not yet SOC 2 or ISO 27001 certified — we're a v1 platform launched in 2026. Our roadmap includes SOC 2 Type 1 in late 2026. We honor GDPR/CCPA data subject rights today: data export via /settings, account deletion via /settings, and opt-out of analytics via the cookie banner. Contact privacy@cloudpathportal.com for data-protection requests; we respond within 30 days.