Security Policy

1. Structural Decoupling Architecture

Traditional integration networks bind API secrets directly inside the runtime execution layers or agent prompt context threads. This design exposes customer integrations to prompt injection theft vectors and leak hazards.

DataFuse eliminates this design flaw by establishing a Cryptographically Decoupled Gateway:

2. Encryption & Key Custody

We safeguard customer secrets and developer workspace metadata through dual-layered encryption:

• Data at Rest: Application databases, compiled YAML configurations, and session records are encrypted using AES-256 with keys managed by AWS KMS (Key Management Service).
• Credential Vaults: Hardware vaults manage customer keys with multi-region envelope encryption. Data is decryptable only by automated, short-lived gateway execution accounts under tight IAM restrictions.
• Data in Transit: Enforced TLS 1.3 encryption on all public APIs, dashboard endpoints, and background microservices communication. Legacy TLS version requests are automatically dropped at our edge.

3. Network & Infrastructure Security

Our secure gateway infrastructure runs inside isolated Amazon Web Services Virtual Private Clouds (VPCs):

• VPC Isolation: Production datastores and isolated credential enclaves have no direct exposure to the public internet and communicate exclusively via internal private endpoints.
• Edge Protection: Enforced Cloudflare edge proxy configurations protect against DDoS attacks, automated scrape-bots, and SQL-injections.
• Intrusion Detection: AWS GuardDuty and container vulnerability monitors scan active workloads for anomalous network scans, memory spikes, or unauthorized shell spawns.

4. Security Governance & Audits

DataFuse builds continuous security controls that are independently certified and monitored:

• SOC 2 Type II: Our organization undergoes annual third-party audits verifying our controls meet strict trust criteria (Security, Availability, Confidentiality).
• Continuous Compliance: We leverage automated compliance tracking (Vanta) to monitor IAM access, MDM status on employee laptops, and backup readiness daily.
• Employee Training: Background checks are performed on all new hires, and mandatory annual security awareness training is enforced company-wide.

5. Vulnerability Disclosure Program (VDP)

DataFuse values the critical contributions of security researchers and ethical hackers. We maintain a Vulnerability Disclosure Program (VDP) to streamline collaboration.

Our Commitment to Safe Harbor: If you act in good faith and conduct your security research in accordance with this policy, we will:

• Consider your activities fully authorized and legal under local computer misuse regulations.
• Work with you to understand, reproduce, and resolve the technical issue quickly.
• Never initiate legal proceedings or report your security research to law enforcement.

6. Disclosure Scope & Exclusions

In-Scope targets:

• DataFuse public marketing pages: *.datafuse.xyz
• DataFuse Developer Console dashboard & compilation compiler API routes.
• DataFuse Gateway Enclave servers and TLS proxy services.

Explicitly Prohibited Exclusions:

• Denial of Service (DoS/DDoS) attacks designed to deplete gateway resources.
• Social engineering or phishing of DataFuse support staff or engineers.
• Inspecting, scraping, or compromising active data belonging to other DataFuse user accounts.
• Physical intrusion attempts against Amazon Web Services datacenter locations.

7. Reporting a Finding

If you discover a security vulnerability or credential leak on our systems, please report it immediately to our security response team.

To help us analyze your report, please include:

• Detailed description of the finding, affected endpoint/API, and severity assessment.
• Clear step-by-step reproduction instructions, logs, or payload code proof-of-concept.
• Your preferred developer name or handle for public credits in our Trust Center updates.