Trust Center

Security Architecture Built for Enterprise

This document details the cryptographic primitives, data isolation model, edge execution architecture, and compliance posture that protect your license infrastructure. Designed for review by your IT security and compliance teams.

Ed25519 Signatures
TLS 1.3 Enforced
AES-256 at Rest
GDPR Compliant
01

Cryptographic Architecture

Every license key issued by Traffic Orchestrator is cryptographically signed and verified at the network edge, ensuring tamper-proof validation without centralized dependencies.

Ed25519 Digital Signatures

License keys are signed with Ed25519 (Curve25519 + SHA-512), providing 128-bit security with 64-byte signatures. Keys can be verified offline without contacting our servers — the public key is embedded in your SDK.

AlgorithmEd25519 (RFC 8032)
Key Size256-bit (32-byte)
Signature Size64 bytes
VerificationOffline-capable

AES-256 Encryption at Rest

All stored data — license keys, customer PII, API credentials — is encrypted with AES-256-GCM. Encryption keys are managed by infrastructure-level KMS with automatic rotation.

CipherAES-256-GCM
Key RotationAutomatic
ScopeAll PII + secrets

TLS 1.3 Transport Security

All network traffic uses TLS 1.3 exclusively with strong cipher suites. HSTS is enforced with a 1-year max-age, includeSubDomains, and preload directives. No fallback to TLS 1.2.

ProtocolTLS 1.3 only
HSTS1 year + preload
CertificateAuto-renewed

HMAC-SHA256 Webhooks

All webhook payloads are signed with HMAC-SHA256 using per-customer secrets. Recipients verify the X-Signature header to ensure payload integrity. Replay protection via timestamp guards rejects payloads older than 5 minutes.

AlgorithmHMAC-SHA256
Replay Window5 minutes
Retry PolicyExponential backoff
02

Sub-10ms Edge Execution

License validation runs on V8 isolates at 300+ edge locations worldwide. No containers, no cold starts, no centralized bottleneck. Your validation latency is bounded by physics, not infrastructure.

<10ms
P95 validation latency
Measured at the edge, including full cryptographic verification and database lookup
300+
Edge locations
Global coverage across 100+ countries with automatic request routing to nearest POP
0ms
Cold start time
V8 isolates eliminate container cold starts entirely — every request executes immediately
99.9%
Uptime target
Infrastructure-level redundancy with automatic failover and self-healing monitoring

Execution Model: V8 Isolates

Unlike traditional containerized APIs, Traffic Orchestrator runs on V8 isolates — the same engine that powers Chrome's JavaScript runtime. Each request gets its own isolated execution context with:

  • Memory isolation: No shared state between requests. Each validation is hermetically sealed.
  • CPU time limits: Hard 30-second CPU time limit prevents runaway processes.
  • No filesystem access: Workers cannot read or write to disk, eliminating an entire class of attacks.
  • Automatic scaling: Scales to millions of concurrent requests without provisioning.
03

Data Isolation Architecture

Every database query is scoped by organization ID. Your data is logically isolated at the query level, preventing cross-tenant data access by design.

🔒

Query-Level Tenant Isolation

Every SQL query includes a mandatory org_id filter. This is enforced at the ORM layer — it is architecturally impossible for one organization to access another's data through the API.

SELECT * FROM licenses WHERE org_id = ?
AND license_key = ?
🗄️

Edge-Native Database

Data is stored in D1 — an edge-native SQLite database replicated across the global network. Read replicas are distributed globally while writes are serialized through a primary for consistency.

🔑

API Key Scoping

API keys are SHA-256 hashed and scoped to a specific organization. Each key has configurable rate limits, IP allowlists, and audit trails. Key rotation is supported without downtime.

📋

Comprehensive Audit Trail

Every license validation, creation, modification, and revocation is logged with timestamp, IP address, user agent, and actor identity. Audit logs are retained for 90 days with export capability.

04

Enterprise SSO & SAML 2.0

Traffic Orchestrator supports SAML 2.0 SP-initiated SSO, enabling your team to authenticate through your existing identity provider. No separate credentials to manage.

Supported Identity Providers

  • Okta — Full SAML 2.0 integration with JIT provisioning
  • Azure AD / Entra ID — Enterprise SSO with automatic role mapping
  • Google Workspace — Seamless integration for Google-native organizations
  • OneLogin — SAML 2.0 with signature verification
  • Custom SAML — Any SAML 2.0 compliant IdP

SSO Security Features

ProtocolSAML 2.0 SP-initiated
SigningRSA-SHA256
ProvisioningJIT (Just-in-Time)
Domain EnforcementEmail domain locking
Assertion ValidationSignature + expiry + audience
Edge ImplementationWeb Crypto API (no DOM)
05

Application Security Controls

Defense-in-depth security controls enforced at every layer of the stack — from network edge to database queries.

Content Security Policy (CSP)
Enforced
Strict CSP with nonce-based script allowlisting. No unsafe-eval, no unsafe-inline without nonce.
Rate Limiting
Active
Sliding window rate limiter at 100 req/min per API key. Brute-force lockout after 5 failed login attempts (15 min).
Input Validation
Enforced
Zod schema validation on all inputs. Prototype pollution protection strips __proto__, constructor, prototype keys.
CORS Policy
Strict
Origin allowlist with credential support. Cross-origin requests logged and audited.
Idempotency Keys
Supported
KV-backed POST request deduplication prevents double-processing of webhook/payment events.
Payload Size Limits
Enforced
Route-specific limits: Auth 16KB, Webhooks 256KB, General 1MB. Prevents DoS via oversized payloads.
Security Headers
Full Suite
HSTS, X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy, COOP, CORP.
06

Regulatory Compliance

Our data handling practices are designed to meet the requirements of major regulatory frameworks.

Compliant

GDPR

Full compliance with EU General Data Protection Regulation. Data Processing Agreements (DPA) available. Right to erasure, data portability, and consent management supported.

Compliant

CCPA

California Consumer Privacy Act compliant. Consumers can request data disclosure, deletion, and opt-out of data sale (we do not sell data).

Available

DPA

Data Processing Agreement available upon request for Enterprise customers. Covers data handling, sub-processors, breach notification procedures, and data retention policies.

Enforced

Data Residency

Primary data storage in US regions with global edge caching. Enterprise customers can request region-specific data residency configurations.

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue, please report it responsibly. We commit to acknowledging reports within 24 hours and providing a remediation timeline within 72 hours.

Report a Vulnerability →

Need More Detail?

Our team is available to answer security questionnaires, provide architecture deep-dives, and discuss custom compliance requirements for your organization.

Contact Security Team General Security Overview →