← Back to Arch Tools

Security Policy

Last updated: March 2026

1. Infrastructure

Arch Tools is hosted on Render's managed infrastructure with automatic TLS, DDoS protection, and isolated service containers. All API traffic is encrypted in transit via TLS 1.3.

2. Authentication

API keys are generated using cryptographically secure random bytes and stored as SHA-256 hashes. Plaintext keys are shown only once at creation. Session tokens use HMAC-SHA256 with short expiry.

3. Data at Rest

User data is stored in PostgreSQL with encryption at rest provided by the hosting platform. We do not store API request/response payloads beyond transient logging (72-hour retention).

4. SSRF Protection

All URL-accepting tools validate against SSRF attacks by blocking private IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, ::1) and restricting to HTTP/HTTPS protocols only.

5. Rate Limiting

Multi-layered rate limiting: global per-IP limits, per-key tier-based limits, and endpoint-specific throttles for authentication routes.

6. Vulnerability Reporting

Report security vulnerabilities to [email protected]. We aim to acknowledge reports within 24 hours and provide a fix timeline within 72 hours. We do not currently operate a bug bounty program.

7. Incident Response

In the event of a data breach, affected users will be notified within 72 hours via email with details of the incident, data affected, and remediation steps taken.