Security

Infrastructure

DDT production services run on Railway with automated deployments from private GitHub repositories. All traffic is encrypted via TLS 1.3. Database connections use encrypted PostgreSQL with connection pooling.

Authentication

• Creator sessions use SHA-256 hashed tokens stored at rest. Raw tokens are returned once at creation and never stored.
• OTP verification has a 5-attempt limit per code and a 60-second cooldown between OTP sends.
• Vendor API keys are stored as SHA-256 hashes with an 8-character prefix index for lookup.
• Watcher tokens for the desktop agent are HMAC-SHA256 signed with a server-side secret.

Access Control

• Creator session tokens cannot access vendor endpoints. Vendor API keys cannot access creator endpoints.
• CRO records are scoped to their owning performer. Cross-performer access is not possible via the API.
• The IPS query endpoint requires authenticated vendor API keys with per-tier rate limiting.

Data Protection

• No private keys, certificates, or credentials are stored in source code repositories.
• Environment variables are used for all secrets (API keys, signing keys, database URLs).
• Audit logs (CROEvent, IPSQueryLog) are append-only and never deleted or modified.

Security Headers

All responses include: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security with a one-year max-age, X-XSS-Protection, and Referrer-Policy: strict-origin-when-cross-origin.

CORS Policy

Cross-origin requests are restricted to DDT production domains. Wildcard origins are not permitted.

Reporting

To report a security issue, contact jhofstad@ddt-pro.com. We will acknowledge within 48 hours and provide an initial assessment within 5 business days.