Security Policy

Security Overview

AgentBrush is built with security as a core principle. Our serverless architecture on Cloudflare Workers minimizes attack surface by eliminating persistent servers, while our multi-layered security approach protects your data at every level.

Encryption

- In transit: All data is encrypted using TLS 1.3 between your browser/CLI and our servers. HSTS is enforced with a minimum age of one year.

- At rest: All stored data (Cloudflare R2, KV) is encrypted using AES-256 encryption provided by Cloudflare's infrastructure.

Authentication

AgentBrush uses a dual authentication model:

- Web users: JWT-based authentication via Clerk, with 60-second token expiry and 5-second clock skew tolerance. Multi-factor authentication (MFA) is supported.

- CLI/API users: Custom API key authentication with SHA-256 hashed storage. Raw API keys are never stored. Both authentication methods share a single token pool per user.

Authorization

All API endpoints are protected by an authentication middleware chain: CORS verification, authentication (JWT or API key), rate limiting, and idempotency checks. The principle of least privilege is applied across all service components.

Infrastructure

AgentBrush runs on Cloudflare Workers — a serverless, edge-native platform. This architecture provides:

- No persistent servers to compromise.

- Automatic DDoS protection via Cloudflare's global network.

- Isolated execution contexts per request (V8 isolates).

- Global edge deployment for low-latency access.

Data Handling

- PII scrubbing: All error monitoring data sent to Sentry is scrubbed of personal identifiers via the beforeSend hook. No email addresses, IP addresses, or token values appear in Sentry events, breadcrumbs, or context.

- Prompt privacy: Prompt text is never stored server-side and never sent to Sentry. Only prompt hashes (SHA-256) are used for monitoring and debugging.

- Security event retention: Security-relevant events are retained for 90 days.

- API key security: API keys are SHA-256 hashed before storage. Raw keys are never stored or logged.

Vulnerability Reporting

We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:

Email: [email protected]

Safe harbor: We will not take legal action against security researchers who report vulnerabilities in good faith, follow responsible disclosure practices, and do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.

Please allow us a reasonable time (90 days) to address the vulnerability before making any public disclosure.

Incident Response

In the event of a security incident, our response process includes:

- Immediate containment and investigation.

- Notification of affected users within 72 hours (per GDPR Art. 33).

- Notification of relevant supervisory authorities as required by law.

- Post-incident review and remediation.