Technical Trust: Security, Privacy & Reliability
This page explains how PastWipe designs for security, privacy, and operational excellence — including our RepSec™ attestation model, breach‑triggered neutralization, data protection controls, and incident processes. It complements our Status page and legal policies.
Core Model
RepSec™ attestations & breach‑triggered neutralization
Transport
TLS for all connections
At Rest
Encryption for stored assets
Access
Least privilege & role gating
1) Security Architecture
PastWipe’s RepSec™ model issues cryptographic attestations that bind data usage to policy. If an exfiltration or policy breach is detected, controls can trigger neutralization to render stolen or non‑compliant data non‑reusable.
- Attestation Layer: Policy‑bound assertions covering permitted context, time, and use.
- Enforcement Hooks: Integration points in apps/pipelines to verify attestations prior to use.
- Neutralization Triggers: Breach, revocation, expiry, or posture change events.
- Auditability: Tamper‑evident logs for attestation issuance, checks, and neutralization events.
Typical data‑flow (high‑level)
- Source issues attestation with policy claims (e.g., purpose, region, expiry).
- Consumer verifies the attestation before processing.
- Signals (SIEM/SOAR/IR) can revoke or neutralize on breach or non‑compliance.
- All checks are logged; actions are reviewable by data owners and auditors.
2) Data Protection
- Encryption in Transit: TLS for all client and service connections.
- Encryption at Rest: Storage encryption for databases, artifacts, and backups.
- Key Management: Keys are isolated per environment with strict access controls.
- Data Minimality: We collect only what is needed to provide the service.
- Retention: Time‑bound retention with deletion on request where applicable.
3) Identity & Access
- Roles: Portal roles gate downloads and privileged actions.
- MFA: Multi‑factor required for admin; recommended for users.
- SSO: SAML/OIDC SSO available for enterprise pilots.
- Least Privilege: Scoped access, periodic reviews, and session limits.
4) Application Security
- Secure SDLC: Branch protections, code review, and CI checks.
- Dependency Hygiene: SCA with rapid remediation for criticals.
- Scanning: SAST/DAST on key services; secrets scanning in CI.
- Security Headers: CSP, HSTS, and related controls where compatible.
Example Content-Security-Policy header
Content-Security-Policy: \ default-src 'self'; \ img-src 'self' data: https:; \ script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; \ style-src 'self' 'unsafe-inline' https:; \ connect-src 'self' https:; \ frame-ancestors 'none'; \ base-uri 'self'; \ object-src 'none'
Tune per environment and feature set.
5) Infrastructure Security
- Segmentation: Separate prod/non‑prod; restricted admin paths.
- Boundary Protection: WAF, rate‑limits, and anomaly detection.
- Backups: Encrypted, tested restores; integrity checks.
- Monitoring: Centralized logs, metrics, and alerting with on‑call.
6) Reliability & Disaster Recovery
- Availability: Track uptime and incidents on the Status page.
- RPO/RTO Targets: Defined per tier; validated via periodic exercises.
- Failover & Restore: Documented runbooks and recovery tests.
7) Privacy & Compliance
See Privacy Policy. For DPA requests, email [email protected].
8) Logging & Audit
- Structured, centralized logs with environment separation.
- Audit events for attestation issuance, verification, and neutralization.
- Retention aligned to legal and operational needs.
9) Incident Response
- 24×7 monitoring with triage and escalation runbooks.
- Customer notification aligned to applicable laws (e.g., GDPR).
- Public updates via the Status page where relevant.
10) Responsible Disclosure
We welcome vulnerability reports. Please email [email protected] with steps to reproduce and impact. Do not access customer data, disrupt services, or exfiltrate information. We will acknowledge valid reports and work with you on remediation.
Optional PGP public key (replace with your real key)
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: OpenPGP [Replace with PastWipe Security PGP key] -----END PGP PUBLIC KEY BLOCK-----
Suggested /.well-known/security.txt
Contact: mailto:[email protected] Policy: https://pastwipe.com/trust/ Preferred-Languages: en Canonical: https://pastwipe.com/.well-known/security.txt Expires: 2026-12-31T23:59:59.000Z
11) Subprocessors
We maintain a current list of subprocessors and data processing partners. For the latest list, contact [email protected] or see the portal for role‑gated documents (portal).
12) Documents & Resources
- Live Status — uptime and incident history.
- Privacy Policy — data subject rights and processing basics.
- Rapid Pilot — start a proof‑of‑value with guardrails.
- Release Notes — notable changes that may affect posture.
- Docs — SDK/CLI guidance and integration notes.
Some materials may require an account in the Portal.