Security

Last updated: March 17, 2026

Security is foundational to CR Gateway. As a service that validates AI outputs for safety and accuracy, we hold ourselves to the same rigorous standards we enforce for our customers. This page describes our security architecture, data handling practices, and ongoing commitments.

Architecture Overview

No servers. No filesystem. No persistent state by default. CR Gateway runs entirely on Cloudflare Workers — serverless edge computing with no long-running processes, no writable filesystem, and no single point of failure.

Edge Computing

Every API request is processed at the nearest Cloudflare data center (300+ locations worldwide). There is no origin server. Code executes in V8 isolates with per-request memory boundaries — one customer's request cannot access another's memory space.

Stateless by Default

The core validation endpoint (/v1/validate) processes your data in memory and returns a result. Nothing is written to disk. Your LLM content is validated and forgotten. Storage is only used when you explicitly call /v1/store.

Data Handling

What We Store

Data	Storage	Retention
Email & company name	Cloudflare KV	Duration of account + 30 days
Hashed password	Cloudflare KV	Duration of account
Hashed API keys	Cloudflare KV	Duration of account
Usage counters	Cloudflare KV	Rolling 90-day window
Tenant configuration	Cloudflare KV	Duration of account
Stored messages (opt-in only)	Cloudflare KV	Until deleted by customer

What We Never Store

LLM request/response content (unless explicitly stored via /v1/store)
Plaintext passwords or API keys
Credit card numbers or payment instrument details (handled by Stripe)
IP addresses beyond in-memory rate limiting
Personally identifiable information beyond email and company name

Authentication & Access Control

API Key Authentication

All API requests require a valid API key passed via the Authorization: Bearer header. Keys are generated with cryptographically secure random bytes and prefixed with bc_live_ for identification. Keys are hashed with HMAC before storage — we cannot retrieve your original key after issuance.

Password Security

Dashboard passwords are hashed using PBKDF2 with SHA-256 and 100,000 iterations. Salts are unique per account. We use the Web Crypto API (built into Cloudflare Workers) for all cryptographic operations — no third-party crypto libraries.

Agent Message Integrity

Ed25519 Digital Signatures

CR Gateway supports Ed25519 digital signatures for agent-to-agent messages. When enabled:

Each agent signs messages with its private key
The gateway verifies signatures against registered public keys
Messages with invalid signatures are rejected with HTTP 403
Messages without signatures pass through (soft enforcement) — allowing gradual rollout

This prevents message tampering and impersonation in multi-agent systems.

Validated Relay (HMAC)

The /v1/relay endpoint provides agent-to-agent message delivery with HMAC-SHA256 verification. Each relayed message includes a cryptographic signature that the receiving agent can verify, ensuring messages were not modified in transit.

Input Validation & Attack Prevention

SSRF Protection

All outbound requests are validated against an allowlist. Internal IPs (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16), metadata endpoints, and non-HTTP protocols are blocked. URL validation occurs before any network request is made.

Path Traversal Blocking

URL paths containing .. sequences are rejected with HTTP 400 before reaching any handler. This prevents directory traversal attacks against KV key structures.

Input Size Limits

Request bodies are limited by endpoint. Message type fields are capped at 256 characters. Malformed JSON, oversized payloads, and unexpected content types are rejected at the edge.

Homoglyph Detection

The danger-term detection system identifies evasion attempts using Cyrillic lookalike characters, leetspeak substitutions, and zero-width character insertion. All tested and verified in our security suite.

Rate Limiting

Rate limiting is enforced at two levels:

Per-minute — prevents burst abuse and protects service stability for all tenants
Per-day — enforces subscription plan limits (Free: 1,000/day, Pro: 50,000/day, Scale: 500,000/day)

Rate limiting is per-company (keyed to your API key's tenant), not per-IP. Exceeding limits returns HTTP 429 with a Retry-After header.

Webhook Security

Inbound webhooks (e.g., from Stripe) are verified using HMAC-SHA256 signature validation. The webhook payload, timestamp, and a shared secret are used to compute the expected signature. Requests with missing or invalid signatures are rejected. Timestamps older than 5 minutes are also rejected to prevent replay attacks.

Infrastructure Security

TLS everywhere — all traffic is encrypted with TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS by Cloudflare.
DDoS protection — Cloudflare's global network provides automatic Layer 3/4/7 DDoS mitigation.
No persistent servers — there are no VMs, containers, or servers to patch. Cloudflare manages the underlying infrastructure and V8 runtime updates.
Isolated execution — each request runs in its own V8 isolate. There is no shared memory between requests or between tenants.
CORS policy — the API enforces strict CORS headers, allowing requests only from authorized origins.
Content Security Policy — the gateway site restricts connect-src to the gateway worker domain only, preventing data exfiltration via XSS.

Compliance & Certifications

Cloudflare Compliance ACTIVE

Our infrastructure provider (Cloudflare) maintains SOC 2 Type II, ISO 27001, PCI DSS Level 1, and FedRAMP certifications. CR Gateway inherits these infrastructure-level controls.

SOC 2 Type II PLANNED

Cipher & Row is working toward SOC 2 Type II certification for the CR Gateway service. Timeline to be announced.

Penetration Testing PLANNED

Third-party penetration testing is planned for 2026. In the interim, we run automated security test suites covering SQL injection, XSS, SSRF, path traversal, and homoglyph evasion — all verified in our 148-test overnight suite.

Responsible Disclosure

If you discover a security vulnerability in CR Gateway, please report it responsibly. We ask that you:

Email security@cipherandrow.com with a detailed description of the vulnerability
Include steps to reproduce, if possible
Allow us reasonable time (90 days) to address the issue before public disclosure
Do not access or modify other customers' data as part of your research

We will acknowledge receipt within 48 hours and provide status updates as we investigate.

Security Contact

For security questions, vulnerability reports, or to request our security documentation:

Cipher & Row LLC
Security: security@cipherandrow.com
General: support@cipherandrow.com