Security Policy

Dregs is a fraud detection platform that processes data on behalf of customers. We take the security of that data seriously and continue to evolve our practices over time. This page summarizes certain technical and organizational safeguards we currently use. It is provided for informational purposes and does not create a warranty, guarantee, or separate contractual commitment unless expressly incorporated into an agreement with you.

Encryption

Data in transit between your systems and Dregs is encrypted using TLS. This applies to the tracking script, REST API, and dashboard. Webhook deliveries can include an HMAC-SHA256 signature so your application can verify authenticity and integrity.

Authentication & Access Control

Dashboard access is protected by JWT-based authentication, and user passwords are hashed with BCrypt rather than stored in plaintext. Tokens are rejected after password changes and account deletion. The platform uses role-based permissions to limit customer access according to the role assigned.

API access uses credential-based authentication. Credentials can be enabled, disabled, revoked, and, for browser-side tracking use cases, configured with allowed-origin restrictions.

Rate Limiting

The platform applies rate limits to authentication endpoints, sensitive account actions, general API access, event ingestion, email delivery, and webhook delivery in order to reduce abuse and protect service availability.

Data Isolation

Customer data is logically isolated at the application level. Database queries that access customer-owned data are scoped to the requesting customer, and API response types are designed to avoid exposing internal-only fields by default.

Input Validation

External input is validated at system boundaries before reaching core processing paths. Credentials are format-validated, and user-supplied event, identity, and related inputs are constrained before use.

Security Headers

Core application surfaces set security headers such as X-Frame-Options, X-Content-Type-Options, HTTP Strict Transport Security (HSTS), and Content Security Policy where supported by the relevant component.

Credential Security

User passwords are hashed using BCrypt and are never stored in plaintext. API keys and webhook signing secrets are generated using cryptographically secure methods and should be treated as secrets by customers. We limit secret display in the product where practical, but customers are responsible for storing credentials securely once issued.

Infrastructure

The primary Dregs application infrastructure is currently hosted on Amazon Web Services (AWS) in the EU (Frankfurt, eu-central-1). Some supporting service providers operate in other jurisdictions. For details on infrastructure and service providers that may process customer data, see our Sub-Processors list.

Incident Response

We investigate suspected security incidents and work to contain and remediate confirmed issues. If we confirm a security incident affecting customer data, we will notify affected customers as required by applicable law and contract, including our Data Processing Agreement where applicable.

Questions

For security questions, concerns, or to report a vulnerability, contact us at security@dregs.com.