Security & Privacy

Your identity data is sensitive. Here's exactly how we protect it, in plain language.

Encryption at rest

Every SSD (Self-State Description) blob is stored in SQLite with AES-256-GCM envelope encryption. The per-row data key is wrapped by a master key held outside the application database. SQLite WAL files and backup snapshots inherit the same encryption.

Encryption in transit

All traffic to api.soullayer.ai and app.soullayer.ai terminates TLS 1.3 with HSTS preload. Internal service-to-service calls run over mTLS within a private VPC.

End-to-end encryption (Pro+)

With E2E enabled, your browser derives a 256-bit key from your passphrase using Argon2id (memory 64 MB, time cost 3, parallelism 1) and encrypts the SSD with AES-256-GCM locally. The server only ever receives ciphertext, a salt, and a verify-hash — it literally cannot read your identity data.

Recovery uses a 24-word BIP-39 mnemonic generated once and shown to you only. We hash it server-side using the same Argon2id parameters; losing both the passphrase and the mnemonic means the data is unrecoverable (by design).

All cryptographic operations happen through the Web Crypto API — no key material ever touches JavaScript heap strings we could later exfiltrate.

Tenant isolation

Every user is a separate tenant with a dedicated SQLite shard. Rows are scoped by tenant_id and double-checked at every query. The authorization middleware in the API rejects any cross-tenant read or write at the route layer, independent of the ORM.

Credentials & API keys

Passwords are hashed with Argon2id using OWASP-recommended parameters (memory 64 MB, time cost 3). API keys are SHA-256-hashed on storage — the raw key is shown once at creation and never retrievable afterwards. Session cookies are HttpOnly, Secure, SameSite=Lax, with a short-lived access cookie plus a rotating refresh cookie.

Infrastructure

Cloud runs on AWS (eu-west-1 primary, us-east-1 for latency-sensitive endpoints). Persistent storage uses EBS gp3 volumes with encryption enabled. Daily encrypted backups go to S3 with Object Lock. Access to production is restricted to named operators via SSO + hardware-key MFA; every action is logged to an append-only audit trail.

Compliance roadmap

  • GDPR — data-subject rights live today: export (GET /v1/auth/export), deletion with 30-day grace, right-to-rectification via API.
  • CCPA — covered under the same export/deletion flows; see Privacy → California residents.
  • SOC 2 Type 1 — audit in progress, targeting Q3 2026.
  • SOC 2 Type 2 — planned Q1 2027 after 6 months of Type 1 operation.
  • HIPAA BAA — available for Enterprise customers; the policy engine ships a HIPAA template out of the box.

Open source

The entire codebase is MIT-licensed and publicly auditable at github.com/soullayer/soullayer. Every cryptographic primitive described above is implementable by reading the source; nothing relies on security-through-obscurity. If you want to self-host with your own key material, the Docker image and Helm chart are in the same repo.

Responsible disclosure

Report vulnerabilities to security@soullayer.ai. Include reproduction steps, affected versions, and any proof-of-concept. We acknowledge reports within 48 hours, validate within 7 days, and aim to patch critical issues within 14 days.

We run a private bug bounty for verified researchers; request an invite by emailing the address above with a short summary of prior work. Payouts scale with severity (CVSS v3.1):

  • Critical (9.0–10.0) — $2,000–$5,000
  • High (7.0–8.9) — $500–$2,000
  • Medium (4.0–6.9) — $100–$500
  • Low (0.1–3.9) — Hall of Fame + swag

Safe harbor: we will not pursue legal action against researchers who act in good faith, respect the scope, and avoid degrading service for other users.