Privacy Policy

Privacy Policy

Effective Date: January 1, 2025

1. Information Collection

a. Operational Data

• IP Address: Network identifier for security monitoring
• Geographic Location: Country-level location derived from IP address
• Cryptographic Operations: Algorithm selection, key sizes, data sizes, processing times
• Session Information: Session identifiers for operation tracking
• User Agent: Browser and device information for compatibility
• Performance Metrics: Processing times and success rates

b. Security Event Data

• Security Events: Threat detection, blocked requests, rule violations
• Error Messages: System errors for debugging purposes
• Access Patterns: Request frequency and behavior monitoring

2. Data Usage

Collected data is used exclusively for:

• Service Operation: Providing cryptographic services
• Security Monitoring: Detecting and preventing threats
• Performance Optimization: Improving system efficiency
• Compliance: Meeting legal and regulatory requirements

3. Data Storage and Retention

• Database Storage: Operational data stored in PostgreSQL database
• Retention Period: Data retained for 90 days for operational purposes
• Automated Cleanup: Data automatically purged after retention period
• Security: Database access restricted to authorized personnel only

4. Data Sharing

Fated LLC does not sell, rent, or share your data with third parties except:

• Legal Requirements: When required by law enforcement or court order
• Security Threats: When necessary to protect system integrity
• Service Providers: Limited access for hosting and infrastructure services

5. Technical Safeguards

Transport Layer Security

• TLS 1.3 Only: Exclusive use of TLS 1.3 protocol (SSLProtocol -all +TLSv1.3)
• Perfect Forward Secrecy: ECDHE ciphers with AES-GCM encryption
• HSTS: HTTP Strict Transport Security with preload and subdomain inclusion
• Certificate Transparency: Expect-CT header enforced with 24-hour max-age
• OCSP Stapling: Real-time certificate status validation

Web Application Firewall & Intrusion Prevention

• ModSecurity: OWASP Core Rule Set (CRS) with custom rules
• Fail2Ban: 15 active jails monitoring Apache, SSH, email services
• Rate Limiting: Automated IP blocking for suspicious activity
• Threat Detection: Real-time monitoring of apache-auth, apache-badbots, apache-overflows

Network & System Security

• UFW Firewall: Restrictive ruleset with port-specific access controls
• Database Protection: MySQL port 3306 explicitly denied from external access
• SSH Hardening: Rate limiting and brute-force protection via fail2ban
• Service Isolation: Specific port allowlists for required services only

Application Security Headers

• Content Security Policy: Strict CSP with nonce-based script execution
• XSS Protection: X-XSS-Protection and X-Content-Type-Options headers
• Cross-Origin Policies: CORP, COEP, and COOP headers configured
• Permissions Policy: Restricted access to geolocation, microphone, camera
• Referrer Policy: Strict-origin-when-cross-origin enforcement

File & Directory Protection

• Sensitive File Blocking: .htaccess rules deny access to .env, .log, .config files
• Hidden File Protection: All dot-files blocked from web access
• Server Information Hiding: Server signature and X-Powered-By headers removed
• Directory Traversal Prevention: Comprehensive path sanitization

Database & Data Protection

• Encrypted Connections: All database connections use TLS encryption
• Access Control: Restricted database user with minimal privileges
• Query Parameterization: Prepared statements prevent SQL injection
• Automatic Cleanup: Scheduled data purging after 90-day retention period

Monitoring & Incident Response

• Security Event Logging: Comprehensive logging to PostgreSQL security_events table
• Real-time Alerts: Automated notification system for security incidents
• Log Rotation: Systematic log management with retention policies
• Threat Intelligence: IP reputation and geographic access pattern analysis

6. User Rights

Under applicable privacy laws, you have the right to:

• Access: Request information about data we collect
• Deletion: Request deletion of your operational data
• Rectification: Request correction of inaccurate data
• Portability: Request data in machine-readable format

7. Cookies and Tracking

Our application uses minimal technical cookies:

• Session Management: Temporary session identifiers
• Security: CSRF protection tokens
• No Tracking: No advertising or behavioral tracking cookies

8. International Data Transfers

Data processing occurs within the United States. International users acknowledge data transfer to US servers with equivalent protection standards.

9. Children's Privacy

Our services are not directed to individuals under 16. We do not knowingly collect personal information from children under 16.

10. Changes to Privacy Policy

Privacy policy updates will be posted on this page with revised effective date. Continued use constitutes acceptance of changes.