Enterprise Security for Regulated Industries
Zero data retention. TLS 1.3 encryption. Tamper-evident audit logs. Frisby is architected from the ground up so that sensitive documents in healthcare, finance, insurance, and government never touch persistent storage.
Zero Data Retention by Design
Documents are processed entirely in memory and never written to disk. There is no document database, no file store, and no content cache. When the request completes, your data is gone.
In-Memory Processing Only
Document content is held in memory for the duration of analysis and garbage-collected on completion. No content is written to disk, logged to files, or stored in any database.
TLS 1.3 Encryption in Transit
All data in transit is protected by TLS 1.3, the latest transport layer security protocol. This covers document uploads, API requests, and all communication between your browser and our edge infrastructure.
No Training on Your Data
Customer documents are never used for model training, fine-tuning, or any form of machine learning improvement. Your data is used exclusively to fulfill the request you make, then discarded.
Edge-First Infrastructure
Built on Cloudflare Workers with no persistent servers. Requests execute at the edge location nearest to the user, minimizing latency and eliminating centralized data stores.
Cloudflare Workers (Edge Computing)
All application logic runs on Cloudflare Workers, a serverless edge platform. There are no persistent servers, no VMs to patch, and no long-running processes that could be compromised. Each request executes in an isolated V8 context that is destroyed on completion.
Turso Database (Encrypted at Rest)
Account metadata and audit records are stored in Turso (libSQL), which provides encryption at rest using AES-256. The database stores only operational data such as user accounts, API key hashes, and audit log entries. Document content is never persisted.
Geographic Data Residency
Cloudflare Workers execute at the edge location nearest to the user across 300+ data centers worldwide. For customers with data residency requirements, request routing ensures data is processed within the required geographic boundary without crossing jurisdictions.
No Persistent Server State
The serverless architecture means there is no server filesystem, no temp directories, and no background processes. Each request is stateless and self-contained. There is nothing to breach on a server because there is no server.
Authentication & Credential Security
Passwords, tokens, and API keys are protected using industry-standard cryptographic primitives with no shortcuts.
| Mechanism | Implementation |
|---|---|
| Password Hashing | PBKDF2-SHA-256 with 100,000 iterations and unique per-user salt |
| Session Tokens | JWT with 7-day expiry, signed with server-side secret |
| Credential Comparison | Constant-time comparison via timingSafeEqual to prevent timing attacks |
| API Key Storage | Keys hashed with SHA-256 before storage; raw keys shown once at creation, never retrievable |
| Password Requirements | Minimum length enforcement, checked at registration and password change |
Why PBKDF2 with 100K Iterations
PBKDF2 is a NIST-recommended key derivation function (SP 800-132). At 100,000 iterations of SHA-256, each password guess costs approximately 100ms of computation, making brute-force attacks against stolen hashes economically infeasible. Each user has a unique cryptographic salt, so identical passwords produce different hashes.
JWT Token Lifecycle
Authentication tokens expire after 7 days, balancing security with usability for compliance teams running multi-day audit workflows. Tokens are validated on every API request. There is no token refresh mechanism; expired sessions require re-authentication.
Access Control & Rate Limiting
Every request is authenticated, authorized against the user's role and tier, and rate-limited to prevent abuse.
Role-Based Access Control
Users are assigned roles (e.g., user, admin) that determine which endpoints and features they can access. Role checks are enforced server-side on every request; frontend visibility is a convenience, not a security boundary.
API Key Authentication
Programmatic access uses API keys that are SHA-256 hashed before storage. Each key is scoped to a user account and inherits that account's role and tier permissions. Keys can be revoked instantly from the account dashboard.
Tier-Based Rate Limiting
API requests are rate-limited per subscription tier to prevent abuse and ensure fair resource allocation. Rate limits are enforced at the edge before requests reach application logic, protecting against both accidental overuse and deliberate denial-of-service attempts.
Constant-Time Token Validation
All token and key comparisons use constant-time algorithms to prevent timing side-channel attacks. An invalid token takes the same amount of time to reject as a valid token takes to accept, revealing no information to an attacker.
Web Security Standards
Every page implements enterprise-grade security headers and protections as a defense-in-depth layer.
Content Security Policy (CSP)
Strict CSP headers prevent cross-site scripting (XSS), unauthorized script injection, and data exfiltration across all pages.
X-Frame-Options DENY
Clickjacking protection prevents pages from being embedded in iframes on malicious sites.
X-Content-Type-Options nosniff
Prevents MIME-type sniffing attacks by forcing browsers to respect declared content types.
Strict Referrer Policy
strict-origin-when-cross-origin referrer policy limits data leakage in HTTP headers when navigating to external sites.
HTTPS with TLS 1.3
All traffic is served over HTTPS with TLS 1.3, providing forward secrecy and the strongest widely-deployed transport encryption available.
Form Tamper Detection
Payment forms include client-side tamper detection that validates amounts before submission, preventing price manipulation attacks.
Tamper-Evident Audit Logs
Every action is recorded in an immutable, cryptographically chained audit log designed for regulatory examination.
Chain Hashing for Tamper Evidence
Each audit log entry includes a SHA-256 hash of the previous entry, forming a cryptographic chain. If any record is modified or deleted, the chain breaks, making tampering immediately detectable. This provides the same integrity guarantee as a blockchain without the overhead.
Immutable Log Records
Audit entries are append-only. The system has no API endpoint, admin function, or database procedure to modify or delete existing log entries. Every document analysis, login, configuration change, and API call is permanently recorded.
Exportable Compliance Records
Audit logs can be exported in structured formats for submission to regulators, external auditors, or internal compliance teams. Exports include the full hash chain so recipients can independently verify log integrity.
What Gets Logged
- User authentication events (login, logout, failed attempts)
- Document analysis requests (metadata only, never content)
- API key creation and revocation
- Account and configuration changes
- Compliance report generation events
Compliance Readiness
Frisby is built for organizations in regulated industries. Our architecture addresses the technical requirements of major compliance frameworks.
HIPAA-Ready Architecture
Zero data retention eliminates stored PHI risk. TLS 1.3 encryption satisfies the transmission security standard. Tamper-evident audit logs provide the accountability trail required by the HIPAA Security Rule. Business Associate Agreements (BAAs) are available for enterprise customers.
SOC 2 Type II Roadmap
We are actively pursuing SOC 2 Type II certification. Our architecture already implements controls for the Security, Availability, and Confidentiality trust service criteria: encrypted transit, immutable audit logs, role-based access, and automated monitoring.
GDPR Data Subject Rights
Because we retain zero document content, there is minimal personal data to manage. Account data supports right-to-access and right-to-erasure requests. Analytics are consent-gated with no pre-consent tracking. Data processing is transparent and documented in our Privacy Policy.
GDPR-Compliant Cookie Consent
A clear, non-deceptive cookie banner gives you full control. No pre-checked boxes, no dark patterns. Plausible Analytics and Microsoft Clarity load only after explicit consent.
Privacy Policy & Terms of Service
Clear, readable Privacy Policy and Terms of Service documents explain exactly what we do and don’t do with your data.
Payment Security
We never handle your credit card data directly. All payment processing is handled by PayPal.
PayPal Secure Checkout
All transactions are processed through PayPal, which is PCI DSS Level 1 compliant — the highest level of payment security certification.
No Direct Card Handling
We never see, store, or process your credit card numbers. Payment data goes directly to PayPal’s secure infrastructure.
Double-Click Protection
Form submission buttons are automatically disabled after click to prevent accidental duplicate charges.
Compliance Framework Knowledge
Our tools are built with deep knowledge of major regulatory and compliance frameworks. Every audit checkpoint, validation rule, and risk assessment draws from these standards.
Our 126 audit checkpoints across 6 AI agents are mapped to the requirements of these frameworks, enabling compliance teams to validate AI outputs against the standards that matter to their industry.
Reporting Security Vulnerabilities
We take every security report seriously. If you discover a vulnerability, we want to hear from you.
How to Report
Email security@frisbyaiops.com with a description of the vulnerability, steps to reproduce, and any relevant screenshots or proof-of-concept code.
Response timeline: We acknowledge reports within 48 hours and aim to provide an initial assessment within 5 business days.
Scope: All Frisby AI Operations services, APIs, and web properties. We ask that you avoid accessing other users' data, disrupting service availability, or publicly disclosing the issue before we have had a chance to address it.
Recognition: We credit researchers who report valid vulnerabilities (with permission) and are committed to resolving confirmed issues promptly.
Questions about security?
Contact our security team or try the platform to see these protections in action.