Security & Compliance

Demeterics is built with security and compliance as core design principles, not afterthoughts.

1. Infrastructure Security

Google Cloud Platform (GCP) Serverless Architecture

  • Fully Managed Services: AppEngine Standard, BigQuery, Datastore, Cloud Tasks - no servers to patch
  • Auto-Scaling: Scale from 0 to 1000+ instances automatically based on traffic
  • Multi-Region Deployment: us-central1, europe-west1, asia-east1
  • DDoS Protection: Google Cloud Load Balancer with built-in DDoS mitigation

2. Data Encryption

Encryption at Rest and in Transit

  • TLS 1.3: All API traffic encrypted with TLS 1.3 (HTTPS-only)
  • AES-256: BigQuery data encrypted at rest with AES-256
  • Secure Cookies: Session cookies encrypted with AES-GCM using SHA-256-derived keys
  • API Key Hashing: Demeterics API keys hashed with bcrypt (cost factor 12) before storage
  • Provider Key Encryption: Third-party provider API keys (OpenAI, Groq, Anthropic, Google AI) encrypted with Google Cloud KMS using AES-256 hardware-backed encryption before storage
  • In-Memory Caching: Decrypted provider keys cached in memory for 15 minutes with automatic expiration
  • Zero Logging: Provider API keys never logged in plain text anywhere in the system

3. Authentication & Authorization

Multi-Layer Auth with Tenant Isolation

  • Google OAuth2: Web UI login via Google OAuth2 with email verification
  • Domain Allowlist: Restrict access to specific email domains or hosted domains
  • API Key Authentication: Programmatic access via bcrypt-hashed API keys
  • Rate Limiting: 1,000 requests/minute default (configurable per key)
  • Tenant Isolation: Strict user_id filtering in all BigQuery queries

4. Secrets Management

Google Secret Manager & KMS for All Sensitive Values

  • OAuth Secrets: Client ID/Secret stored in Secret Manager, never in code
  • Session Secrets: Rotation-ready; 5-second timeout on Secret Manager calls
  • API Key Pepper: Application-level secret for API key hashing
  • Provider API Keys: Encrypted with Google Cloud KMS before storage, decrypted on-demand with audit logging
  • KMS Key Rotation: Automatic cryptographic key rotation handled by Google Cloud
  • HSM-Backed: KMS keys protected by Hardware Security Modules (FIPS 140-2 Level 3)
  • No Hardcoded Secrets: All secrets loaded from environment, Secret Manager, or KMS-encrypted storage

5. Network Security

Defense-in-Depth Network Controls

  • HTTPS-Only: Automatic HTTP → HTTPS redirect (301/308)
  • HSTS Headers: Strict-Transport-Security with preload directive
  • CSP Headers: Content-Security-Policy blocks inline scripts and unsafe sources
  • X-Frame-Options: Clickjacking protection (DENY)
  • CORS: Deny by default; wildcard only in development

6. Application Security

Secure Coding Practices & Input Validation

  • Input Validation: All API inputs validated against schemas
  • Parameterized Queries: BigQuery queries use parameter binding
  • Output Encoding: HTML/JavaScript escaping in server-rendered templates
  • No SQL Injection: Go type-safe queries prevent SQL injection
  • Idempotency Keys: X-Request-ID prevents duplicate writes (24-hour cache)

7. Data Privacy

GDPR, CCPA, and Privacy-by-Design

  • Data Minimization: Only capture question/answer pairs and metadata
  • Right to Access: Export API returns all data for a user
  • Right to Deletion: DELETE /api/v1/data triggers GDPR-compliant deletion
  • Data Portability: Export to CSV/JSON formats
  • Retention Policies: Configurable data retention (7-365 days)

8. Audit & Logging

Complete Audit Trail for Compliance

  • API Key Operations: All create/update/delete operations logged
  • Data Access Logs: BigQuery audit logs track all data access
  • Request IDs: ULID-based request IDs for end-to-end tracing
  • Structured Logging: slog-based structured logs (no PII logged)
  • SHA-256 Hashing: Content hashes for cryptographic verification

9. Incident Response

Prepared for Security Incidents

  • 24/7 Monitoring: GCP Monitoring alerts for anomalies
  • Incident Response Plan: Documented process for security incidents
  • Breach Notification: 72-hour notification for GDPR compliance
  • Rollback Capability: AppEngine version rollback in < 5 minutes

10. Compliance Certifications

Current Status & Roadmap

Standard Status Notes
GDPR Ready Data export, deletion, portability built-in
CCPA Ready California consumer rights supported
SOC 2 Type II In Progress Architecture designed for compliance; audit scheduled Q2 2025
HIPAA Available Business Associate Agreement available on request

11. Third-Party Security

Supply Chain Security

  • Minimal Dependencies: Go standard library preferred; minimal external packages
  • Dependency Scanning: Dependabot alerts enabled on GitHub
  • GCP Provenance: All services provided by Google Cloud Platform

12. Vulnerability Disclosure

Responsible Disclosure Policy

If you discover a security vulnerability, please report it to:

Email: support@demeterics.com
PGP Key: Available on request
Response Time: We acknowledge all reports within 24 hours
Disclosure Timeline: 90 days from report to public disclosure

Bug Bounty: Planned for Q2 2025 (post-SOC 2 certification)

13. Security Updates

We maintain a public security page at status.demeterics.com (coming soon) with information about security updates, incidents, and planned maintenance.

14. Questions?

For security questions or to request our security whitepaper, contact:
Email: support@demeterics.com
Response Time: 48 hours for all inquiries