📖 Trust Center Navigation

Trust Center

Legal Documents

← Back to Documentation

Security Practices

NotiCord is built with security as a foundational principle. This document outlines our security practices and the measures we take to protect your data.

Infrastructure Security

Cloud Platform

  • Provider: Microsoft Azure
  • Region: EU (Europe) for data residency compliance
  • Standards: Built on Azure's enterprise-grade security infrastructure
  • Network: IP-based firewall rules for database access

Compute & Hosting

  • App Service: Linux-based, Node.js 20 LTS runtime
  • Isolation: Separate development and production environments
  • Always On: Production instances run continuously
  • Updates: Automated security patches and OS updates

Data Security

Encryption

At Rest:

  • Database: Azure SQL with Transparent Data Encryption (TDE enabled by default)
  • Backups: Automated backups with geo-redundant storage (GRS)
  • Secrets: Azure Key Vault for centralized secrets management

In Transit:

  • HTTPS with modern TLS: All communications encrypted
  • Webhook Verification: Cryptographic signature validation
  • API Security: OAuth 2.0 with JWT tokens

Data Minimization

We practice privacy by design:

What we store:

  • User IDs (Discord, Notion)
  • Database and workspace IDs
  • Rule configurations
  • Usage metrics (quota enforcement)

What we never store:

  • Discord message content
  • Notion page content
  • User passwords
  • Conversation history

Access Control

  • Authentication: Auth0 with Discord OAuth
  • Authorization: Role-based access control (subscription owners)
  • API Security: JWT validation on all authenticated endpoints
  • Least Privilege: Application uses minimal permissions (Azure Managed Identity)

Application Security

Authentication & Authorization

User Authentication:

  • Auth0 (Discord OAuth) with PKCE flow
  • JWT tokens with Auth0-managed expiration
  • No password storage (delegated to Discord)

Service Authentication:

  • Notion OAuth with workspace-level permissions
  • Discord bot token rotation capability
  • Stripe webhook signature verification

API Security:

  • Bearer token authentication
  • CORS restrictions (specific origins only)
  • Rate limiting (coming in post-MVP)

Input Validation

  • Schema Validation: Zod for all API inputs
  • SQL Injection Protection: Sequelize ORM with parameterized queries
  • XSS Protection: React with automatic escaping
  • CSRF Protection: SameSite cookies, CORS policies

Webhook Security

All incoming webhooks are verified:

  • Discord: Ed25519 signature verification (required)
  • Stripe: HMAC-SHA256 webhook signature
  • Notion: HMAC signature with verification token

Secrets Management

  • Azure Key Vault: All secrets stored in Key Vault
  • No .env Secrets: Environment variables only for toggles
  • Rotation: Manual rotation process (automated coming soon)
  • Access: Azure Managed Identity (production), CLI credentials (dev)

Monitoring & Incident Response

Monitoring

  • Application Insights: Real-time error tracking and performance monitoring
  • OpenTelemetry: Distributed tracing across services
  • Log Analytics: Centralized logging with Azure Monitor
  • Alerts: Automated alerts for errors, performance degradation, and security events

Logging & Auditing

What we log:

  • API requests (with automatic PII masking)
  • Authentication events
  • Webhook deliveries
  • Error traces

PII Protection in Logs:

All log data is automatically sanitized before being sent to Application Insights:

  • Emails: Masked to show domain only (e.g., ***@example.com) with correlation hash
  • Usernames/Display Names: Masked to show first character (e.g., J***) with correlation hash
  • Tokens/Secrets: Fully redacted (***REDACTED***)
  • User IDs: Preserved for debugging (correlation purposes)

What we don't log:

  • User passwords (never stored or logged)
  • Full message content
  • Personal conversations
  • Unmasked PII (emails, names)

Retention:

  • Application Insights logs: 90 days (automatic retention)
  • App Service HTTP logs: 5 days
  • Event logs (database): 30 days (quota tracking, debugging)

Incident Response

Process:

  1. Detection - Automated alerts and monitoring
  2. Assessment - Severity classification within 1 hour
  3. Containment - Immediate action to limit impact
  4. Resolution - Fix and deploy within 24 hours (critical issues)
  5. Communication - User notification if data breach suspected
  6. Post-Mortem - Root cause analysis and prevention measures

Reporting:

  • Security Issues: contact@firnity.com
  • Response Time: 48 hours for verified reports
  • Disclosure: Coordinated disclosure for vulnerabilities

Compliance & Standards

GDPR Compliance

  • ✅ Data Processing Agreement available
  • ✅ Right to access, rectify, delete
  • ✅ Data portability (export on request)
  • ✅ Self-service account deletion
  • ✅ Privacy by design and default
  • ✅ Data minimization practices
  • ✅ EU data residency

Industry Standards

  • OAuth 2.0: Industry-standard authorization
  • OpenID Connect: Authentication standard
  • Modern TLS: Current encryption protocols
  • JWT: Secure token format
  • OWASP Top 10: Security best practices followed

Development Security

Code Security

  • Linting: ESLint with security rules
  • Dependency Management: npm for package management
  • Infrastructure as Code: Terraform for reproducible deployments

Secure Development Lifecycle

  1. Design: Security considerations in architecture
  2. Implementation: Secure coding practices
  3. Testing: Manual security reviews
  4. Deployment: Terraform infrastructure as code
  5. Monitoring: Continuous monitoring in production

Third-Party Services

All third-party services are vetted for security:

  • Azure - SOC 2, ISO 27001, GDPR
  • Auth0 - SOC 2, ISO 27001, GDPR
  • Stripe - PCI DSS Level 1, SOC 2
  • PostHog - SOC 2, GDPR (EU hosting)

See Sub-Processors for full list.

Data Retention & Deletion

Retention Policies

Data Type Retention Period Purpose
Event logs 30 days Quota tracking, debugging
Action tokens 10 minutes Button interactions
Account data Until deletion Service delivery
Workspace connections Until disconnection Service delivery

Data Deletion

Self-Service:

  • Users can delete their account from Settings page
  • Transaction-based deletion (all or nothing)
  • Immediate removal from database

What's Deleted:

  • Account records
  • Identity links
  • Notification rules
  • Event logs
  • Action tokens

What's Not Deleted:

  • Auth0 user records (requires Management API)
  • Discord/Notion OAuth tokens (only DB records deleted)

Timeline:

  • Request processed: Immediate
  • Database deletion: Immediate
  • Storage blob retention: 7 days (delete retention policy)

Vulnerability Reporting

Responsible Disclosure

We welcome security researchers to report vulnerabilities:

In Scope:

  • Authentication/authorization bypasses
  • SQL injection, XSS, CSRF
  • Server-side vulnerabilities
  • Data leaks
  • Cryptographic weaknesses

Out of Scope:

  • Social engineering
  • Physical attacks
  • DoS/DDoS attacks
  • Reports from automated scanners without validation

How to Report:

  1. Email contact@firnity.com with:

    • Vulnerability description
    • Steps to reproduce
    • Impact assessment
    • Your contact information

  2. We will:

    • Acknowledge within 48 hours
    • Investigate and validate
    • Provide timeline for fix
    • Credit you (if desired) after resolution

  3. Coordinated Disclosure:

    • Please wait 90 days before public disclosure
    • We'll work with you on disclosure timing
    • Credit given in security advisories

Questions?

For security-related questions:

  • Security Issues: contact@firnity.com
  • Privacy Questions: contact@firnity.com
  • General Support: contact@firnity.com

Last updated: October 2025

← Back to Trust Center