Technical Trust: Security, Privacy & Reliability

This page explains how PastWipe designs for security, privacy, and operational excellence — including our RepSec™ attestation model, breach‑triggered neutralization, data protection controls, and incident processes. It complements our Status page and legal policies.

Core Model

RepSec™ attestations & breach‑triggered neutralization

Transport

TLS for all connections

At Rest

Encryption for stored assets

Access

Least privilege & role gating

1) Security Architecture

PastWipe’s RepSec™ model issues cryptographic attestations that bind data usage to policy. If an exfiltration or policy breach is detected, controls can trigger neutralization to render stolen or non‑compliant data non‑reusable.

  • Attestation Layer: Policy‑bound assertions covering permitted context, time, and use.
  • Enforcement Hooks: Integration points in apps/pipelines to verify attestations prior to use.
  • Neutralization Triggers: Breach, revocation, expiry, or posture change events.
  • Auditability: Tamper‑evident logs for attestation issuance, checks, and neutralization events.
Typical data‑flow (high‑level)
  1. Source issues attestation with policy claims (e.g., purpose, region, expiry).
  2. Consumer verifies the attestation before processing.
  3. Signals (SIEM/SOAR/IR) can revoke or neutralize on breach or non‑compliance.
  4. All checks are logged; actions are reviewable by data owners and auditors.

2) Data Protection

  • Encryption in Transit: TLS for all client and service connections.
  • Encryption at Rest: Storage encryption for databases, artifacts, and backups.
  • Key Management: Keys are isolated per environment with strict access controls.
  • Data Minimality: We collect only what is needed to provide the service.
  • Retention: Time‑bound retention with deletion on request where applicable.

3) Identity & Access

  • Roles: Portal roles gate downloads and privileged actions.
  • MFA: Multi‑factor required for admin; recommended for users.
  • SSO: SAML/OIDC SSO available for enterprise pilots.
  • Least Privilege: Scoped access, periodic reviews, and session limits.

4) Application Security

  • Secure SDLC: Branch protections, code review, and CI checks.
  • Dependency Hygiene: SCA with rapid remediation for criticals.
  • Scanning: SAST/DAST on key services; secrets scanning in CI.
  • Security Headers: CSP, HSTS, and related controls where compatible.
Example Content-Security-Policy header
Content-Security-Policy: \
  default-src 'self'; \
  img-src 'self' data: https:; \
  script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; \
  style-src 'self' 'unsafe-inline' https:; \
  connect-src 'self' https:; \
  frame-ancestors 'none'; \
  base-uri 'self'; \
  object-src 'none'

Tune per environment and feature set.

5) Infrastructure Security

  • Segmentation: Separate prod/non‑prod; restricted admin paths.
  • Boundary Protection: WAF, rate‑limits, and anomaly detection.
  • Backups: Encrypted, tested restores; integrity checks.
  • Monitoring: Centralized logs, metrics, and alerting with on‑call.

6) Reliability & Disaster Recovery

  • Availability: Track uptime and incidents on the Status page.
  • RPO/RTO Targets: Defined per tier; validated via periodic exercises.
  • Failover & Restore: Documented runbooks and recovery tests.

7) Privacy & Compliance

Nothing on this page constitutes a warranty or certification. See our Terms and Privacy for binding terms.
GDPR
We support data subject rights and provide a Data Processing Addendum upon request.
DPIA Support
We offer security and privacy answers to help your assessments.
Data Residency
Discuss residency preferences as part of your pilot or enterprise plan.
Compliance Roadmap
ISO 27001 & SOC 2 readiness activities are planned; status available on request.

See Privacy Policy. For DPA requests, email [email protected].

8) Logging & Audit

  • Structured, centralized logs with environment separation.
  • Audit events for attestation issuance, verification, and neutralization.
  • Retention aligned to legal and operational needs.

9) Incident Response

  • 24×7 monitoring with triage and escalation runbooks.
  • Customer notification aligned to applicable laws (e.g., GDPR).
  • Public updates via the Status page where relevant.

10) Responsible Disclosure

We welcome vulnerability reports. Please email [email protected] with steps to reproduce and impact. Do not access customer data, disrupt services, or exfiltrate information. We will acknowledge valid reports and work with you on remediation.

Optional PGP public key (replace with your real key)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP

[Replace with PastWipe Security PGP key]
-----END PGP PUBLIC KEY BLOCK-----
Suggested /.well-known/security.txt
Contact: mailto:[email protected]
Policy: https://pastwipe.com/trust/
Preferred-Languages: en
Canonical: https://pastwipe.com/.well-known/security.txt
Expires: 2026-12-31T23:59:59.000Z

11) Subprocessors

We maintain a current list of subprocessors and data processing partners. For the latest list, contact [email protected] or see the portal for role‑gated documents (portal).

12) Documents & Resources

  • Live Status — uptime and incident history.
  • Privacy Policy — data subject rights and processing basics.
  • Rapid Pilot — start a proof‑of‑value with guardrails.
  • Release Notes — notable changes that may affect posture.
  • Docs — SDK/CLI guidance and integration notes.

Some materials may require an account in the Portal.