Security at Angstroma
Last updated: April 13, 2026
How we protect your data — and what to do if you find a vulnerability. Security concerns: [email protected]
1. Security Practices
| Area | What we do |
|---|---|
| Password storage | Argon2id password hashing, the memory-hard key derivation function recommended by OWASP and RFC 9106. Parameters are tuned to current best practice and reviewed periodically. We never store plain-text passwords. New and changed passwords are screened against the Have I Been Pwned corpus using k-anonymity — the password itself never leaves your browser. |
| Token security | RS256 asymmetric JWT tokens. Private keys never leave our servers. The browser never holds a JWT — tokens are stored in HttpOnly, Secure, encrypted session cookies (AES-256 via iron-session). |
| Email-based authentication | Verification, password reset, and team invite links are time-limited, single-use, and bound to the originating request. Because these flows rely on the security of your email account, we recommend organizations enforce MFA on the mailboxes used to access Angstroma. |
| API key handling | API keys are stored as SHA-256 hashes only. The raw key is shown exactly once at creation. We cannot recover it — if lost, you must revoke and regenerate. |
| Tenant isolation | Database-level row isolation using global query filters. It is architecturally impossible for one customer to access another customer's data accidentally. |
| Data in transit | TLS 1.2 or higher enforced for all connections; TLS 1.3 preferred. HTTP traffic is redirected to HTTPS. HSTS is enabled across all customer-facing domains. |
| Audit logging | Immutable audit logs for all security-relevant actions. Logs are retained for 2 years and cannot be modified or deleted. |
| Monitoring | Azure Application Insights and Sentry monitor for anomalies and errors. Our team is alerted to unusual patterns in real time. |
| Auth rate limiting | Adaptive multi-layer rate limiting on authentication endpoints (by IP, email, account, and tenant) to defend against brute-force, credential-stuffing, and enumeration attacks. Repeated failures trigger temporary lockouts. Exact thresholds are not disclosed publicly to reduce threshold-probing risk; they are available to enterprise customers under NDA. |
| Application stack | Backend built on .NET. Portal and marketing site built on Next.js and hosted on Vercel. Primary data store is Azure SQL Database. Widget SDK delivered via Bunny CDN. All infrastructure is covered by the sub-processor list in our Data Processing Agreement. |
| Infrastructure | Hosted on Microsoft Azure. Secrets stored in Azure Key Vault and injected at runtime via managed identity. WAF, DDoS protection, and bot mitigation (Cloudflare Turnstile) via Cloudflare. Dependencies monitored continuously by Renovate, Dependabot, and CodeQL static analysis. |
| Input validation | All API endpoints use server-side input validation. No stack traces are returned to clients — only generic error messages with a trace ID. |
2. Compliance Program
Angstroma operates on a free-first, demand-triggered compliance posture. Our security controls are mapped to recognised free frameworks (NIST, OWASP, GDPR, ADA) and operational today. We pursue paid third-party certifications (SOC 2 Type II, ISO 27001) only when a specific enterprise customer requires one — and we will never claim a certification we have not actually received.
Current framework posture
| Framework | Scope | Status |
|---|---|---|
| NIST CSF 2.0 | Cybersecurity controls framework | Aligned — self-attested |
| NIST AI RMF | AI risk management | Operational |
| OWASP ASVS v4.0.3 Level 2 | Application-security baseline | Self-attested |
| OWASP API Security Top 10 (2023) | API-layer defence-in-depth | Full coverage |
| NIST SP 800-63B rev 3 | Digital identity / authentication | Implemented |
| GDPR Article 25 + Article 20 | Privacy by design + data portability | Implemented |
| ADA Title II + III | Accessibility (product scope) | Core product |
| EU Accessibility Act (EAA) | Accessibility (product scope) | Core product |
| ISO 27001 Annex A | ISMS controls | Controls operational — not certified |
| SOC 2 Type II | Trust services (CC6.1–CC6.8) | Controls aligned — not certified |
| COPPA 16 CFR §312.5(c)(6) | School-authorized agent posture (K-12) | Schools tier — operational |
| FERPA 34 CFR §99.31(a)(1)(i)(B) | School official designation (K-12) | Schools tier — operational |
What we never claim
We do not claim to be "SOC 2 certified", "ISO 27001 certified", "ISO 42001 certified", "ISO 27701 certified", or any similar phrase that implies an external attestation we have not received. Any such claim would be misleading. If you see that language anywhere associated with Angstroma — in our marketing, our sales conversations, or any partner material — please report it to [email protected] and we will correct it publicly.
Continuous verification
- Annual external penetration test with public remediation tracking
- Public vulnerability disclosure program (see
/.well-known/security.txt) - Immutable audit logging with 2-year retention (hash-chain, tamper-evident)
- Role-based access control (Owner, Admin, Member, Viewer)
- Documented incident-response procedures with 72-hour GDPR notification SLA (48 hours for Schools tier)
- Vendor and sub-processor risk management (see our Data Processing Agreement)
- Continuous dependency and supply-chain monitoring (Renovate, Dependabot, CodeQL)
- Internal Policy Pack covering 16 security and AI governance domains (available under NDA on request)
Enterprise procurement requirements? If your vendor review requires a paid third-party audit report (SOC 2 Type II, ISO 27001, ISO 42001), contact [email protected]. Our controls are already aligned to these frameworks — the path from aligned controls to a signed audit report is measured in weeks, not months, once a named customer commits.
3. Responsible Disclosure Policy
We appreciate the work of security researchers who help keep Angstroma and our customers safe. If you discover a security vulnerability, please report it responsibly.
How to report
Email: [email protected]
For sensitive reports, please request our PGP public key via email. Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any proof-of-concept code or screenshots (if safe to share)
- Your contact information for follow-up
What to expect
| Timeframe | What happens |
|---|---|
| Within 2 business days | Acknowledgement of your report |
| Within 10 business days | Initial assessment and confirmation of the vulnerability |
| Within 90 days | Resolution, mitigation, or an explanation if a fix is not possible |
| After resolution | Public credit in our disclosure if you wish |
Scope
In scope:
- angstroma.com (marketing + customer portal)
- api.angstroma.com (public API)
- cdn.angstroma.com (widget SDK distribution)
- The Angstroma widget SDK
- The Angstroma browser extension
Out of scope:
- admin.angstroma.com and any internal administrative interfaces (access-restricted; testing requires prior written authorization from [email protected])
- Social engineering attacks targeting Angstroma staff
- Physical security
- Denial-of-service attacks
- Automated scanning that generates significant server load
- Vulnerabilities in third-party services (Stripe, Cloudflare, Azure, Vercel, Resend, Bunny CDN) — report those directly to the vendor
Our commitment to you
- We will not take legal action against you for good-faith research within this scope
- We will work with you to understand and validate the issue
- We will keep you updated on remediation progress
- We do not currently operate a paid bug bounty program, but we recognize researchers publicly (with consent)
4. Data Breach Notification
In the event of a confirmed data breach affecting your personal data or your customers' data, we will:
- Notify affected users within 72 hours of discovery (GDPR requirement)
- Notify relevant supervisory authorities within 72 hours as required by law
- Provide a clear description of what data was affected, the likely impact, and measures taken
- Publish a post-incident summary once the incident is fully resolved
Schools tier — enhanced 48-hour SLA. For Schools tier customers handling student education records, we commit to notifying the district within 48 hours of discovering any unauthorized access or disclosure. See Privacy Policy §12.3 and Terms §18.7 for the full FERPA breach commitments.
5. Security Contact
| Vulnerability reports | [email protected] |
|---|---|
| General security questions | [email protected] |
| Data breach / privacy | [email protected] |
See also: Privacy Policy · Transparency Charter