Security Policy

Effective Date: May 8, 2026 | Last Updated: May 8, 2026

Beezifi Inc. takes security seriously. This Security Policy describes the technical and organizational safeguards implemented in the Beezifi Security gateway platform (the "Service") to protect tenant accounts, API keys, request data, and platform infrastructure. Because Beezifi Security is itself a security product, the platform is built and operated with an adversarial mindset — the assumption that the gateway is a high-value target for attacks directed at tenants and Beezifi alike.

This policy is incorporated by reference into our Terms of Service and Privacy Policy.

Beezifi Security is a security gateway — its integrity is critical to your downstream infrastructure. Every architectural and operational decision is made with the assumption that the Service is subject to active, persistent attack.

1. Credential & Authentication Security

🔐

Password Hashing

Dashboard passwords are stored using bcrypt with work factor 12. Plaintext passwords are never written to storage or logs.

🔑

API Key Hashing

API keys are stored exclusively as SHA-256 hashes. The full plaintext key is shown only once at issuance and cannot be recovered from the Service.

🎟️

JWT Sessions

Dashboard sessions use short-lived JSON Web Tokens (HS256) with issuer validation. Tokens are stored in localStorage and cleared on sign-out.

🚦

Rate Limiting

Authentication and API endpoints are individually rate-limited. The decision endpoint is limited to 50 calls per second per IP to prevent brute-force key enumeration.

2. API Key Security

API keys use the prefix bzf_ followed by 48 cryptographically random hexadecimal characters (192 bits of entropy). Keys are generated using Node.js's crypto.randomBytes() and are immediately hashed with SHA-256 before storage. Key rotation is available at any time from the dashboard; rotation immediately invalidates the prior key. Tenants can revoke individual keys or all keys simultaneously.

Beezifi has no ability to recover or expose a plaintext API key after issuance. If a key is lost, it must be rotated. You are solely responsible for the secure storage and authorized use of your API keys.

3. Transport Security

All communication between clients and the Service is encrypted using TLS 1.2 or higher. Unencrypted HTTP connections should be blocked at your infrastructure level. HTTP Strict Transport Security (HSTS) headers are enforced on the dashboard to prevent downgrade attacks.

4. HTTP Security Headers

The Service dashboard is hardened with the following HTTP security headers via Helmet.js:

HTTP Strict Transport Security (HSTS): Enforces HTTPS for all future connections
X-Frame-Options: DENY: Prevents clickjacking via iframe embedding
X-Content-Type-Options: nosniff: Prevents MIME-type sniffing attacks
Referrer-Policy: Controls referrer information in outbound requests
Permissions-Policy: Restricts browser feature API access

Note: Content-Security-Policy (CSP) is currently relaxed to permit the dashboard's inline scripts and CDN-hosted chart libraries. Tighter CSP constraints are on the security roadmap.

5. Multi-Tenant Data Isolation

All tenant data — rules, API keys, request logs, and bandwidth balances — is scoped by a tenant_id enforced at every database query layer. Foreign key constraints and application-layer validation prevent cross-tenant data access. No shared caches or data structures are used across tenant boundaries. Even if an authenticated dashboard session were compromised, it would have access only to the corresponding tenant's data.

6. Decision Endpoint Security

The decision endpoint (POST /api/v1/check) is designed as the critical path and is hardened accordingly:

Authentication is performed via a constant-time SHA-256 hash comparison — timing-safe against key enumeration
The endpoint is rate-limited to 50 requests per second per IP address
Revoked or invalid API keys receive identical error responses to prevent oracle attacks
Tenant suspension and zero-balance enforcement are checked on every request
Usage deduction is performed asynchronously after the response to minimize latency
All evaluation errors fail closed — ambiguous or exceptional cases return BLOCK, not ALLOW

7. Rule Engine Integrity

The security rule engine evaluates rules in strict priority order (lowest priority number first) and short-circuits on first match. Rule types supported include: IP blocklists and allowlists (with CIDR notation), geographic block and allow rules, geofence rules (Haversine great-circle distance), rate limiting (sliding window, tracked per-rule per identifier), user-agent pattern matching, and path prefix/suffix/exact matching. Rule configurations are validated on write and rejected if malformed. BLOCK and REDIRECT decisions are accompanied by configurable ghost responses to prevent information leakage.

8. Request Log Security

Request logs are stored in append-only database records and are scoped strictly to the originating tenant. Logs contain the evaluation inputs you submitted and the decision output. Log data is not shared with other tenants or used by Beezifi for purposes beyond operating the Service and security investigations. Logs are retained for 90 days by default.

9. Payment Security

All payment processing is delegated to Stripe, Inc. Beezifi never receives, processes, or stores raw payment card data. The checkout flow is handled entirely on Stripe's PCI-DSS-compliant infrastructure via Stripe Checkout. Beezifi stores only the Stripe customer ID, session ID, and payment intent ID for reconciliation purposes. Stripe webhooks are verified using HMAC-SHA256 signature validation before any balance credit is applied.

10. Shared Responsibility

Security is a shared responsibility. To protect your tenant account and API keys, you must:

Use a strong, unique password for your dashboard account (minimum 8 characters; 12+ recommended)
Rotate API keys immediately if you suspect they have been exposed or are no longer needed
Restrict API key use to trusted infrastructure only — do not embed keys in client-side code
Review your request logs regularly for unexpected traffic patterns or anomalies
Configure security rules appropriate to your use case and review them periodically
Maintain adequate bandwidth balance to avoid service interruption
Report any suspected unauthorized access to your account or API keys immediately to security@beezifi.com

11. Incident Response

In the event of a confirmed security incident affecting tenant data, Beezifi Inc. will:

Notify affected tenants within 72 hours of confirmation, as required by applicable law
Provide clear information about the nature of the exposure and the data affected
Describe remediation steps taken and recommended tenant actions (e.g., key rotation)
Cooperate with applicable regulatory authorities as required

12. Vulnerability Disclosure

If you believe you have discovered a security vulnerability in the Service, please report it responsibly before public disclosure:

Email: security@beezifi.com
Include a clear description of the vulnerability with reproduction steps
Include the potential impact and affected components
We will acknowledge receipt within 2 business days
We will work with you to validate and remediate confirmed issues before disclosure

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to remediate them. We appreciate responsible disclosure and will credit researchers where appropriate with their consent.

13. Disclaimer

DESPITE THE SECURITY MEASURES DESCRIBED IN THIS POLICY, NO SYSTEM IS 100% SECURE. BEEZIFI INC. CANNOT GUARANTEE ABSOLUTE SECURITY OF DATA TRANSMITTED OVER THE INTERNET OR STORED ON OUR SYSTEMS. BEEZIFI INC. SHALL NOT BE LIABLE FOR ANY UNAUTHORIZED ACCESS, BREACH, OR LOSS OF DATA TO THE EXTENT SUCH INCIDENT RESULTS FROM CIRCUMSTANCES BEYOND OUR REASONABLE CONTROL, INCLUDING BUT NOT LIMITED TO YOUR FAILURE TO MAINTAIN SECURE API KEY HYGIENE, UNAUTHORIZED USE OF YOUR CREDENTIALS, OR COMPROMISE OF YOUR OWN INFRASTRUCTURE. YOUR USE OF THE SERVICE IS AT YOUR OWN RISK AS FURTHER DESCRIBED IN OUR TERMS OF SERVICE.

14. Governing Law

This Security Policy and any disputes arising out of or relating to it shall be governed by and construed in accordance with the laws of the State of Washington, United States, without regard to its conflict-of-law provisions. By using the Service, you consent to the exclusive jurisdiction of the courts located in Washington State for any matters not subject to arbitration under our Terms of Service.

15. Contact

For security questions, incident reports, or vulnerability disclosures:
Email: security@beezifi.com
Response target: 2 business days for security reports