Skip to content
Security

Enterprise Security for Regulated Industries

Zero data retention. TLS 1.3 encryption. Tamper-evident audit logs. Frisby is architected from the ground up so that sensitive documents in healthcare, finance, insurance, and government never touch persistent storage.

Zero Retention TLS 1.3 HIPAA-Ready SOC 2 Roadmap GDPR
Data Handling

Zero Data Retention by Design

Documents are processed entirely in memory and never written to disk. There is no document database, no file store, and no content cache. When the request completes, your data is gone.

🚫

In-Memory Processing Only

Document content is held in memory for the duration of analysis and garbage-collected on completion. No content is written to disk, logged to files, or stored in any database.

🔒

TLS 1.3 Encryption in Transit

All data in transit is protected by TLS 1.3, the latest transport layer security protocol. This covers document uploads, API requests, and all communication between your browser and our edge infrastructure.

🙅

No Training on Your Data

Customer documents are never used for model training, fine-tuning, or any form of machine learning improvement. Your data is used exclusively to fulfill the request you make, then discarded.

Infrastructure

Edge-First Infrastructure

Built on Cloudflare Workers with no persistent servers. Requests execute at the edge location nearest to the user, minimizing latency and eliminating centralized data stores.

Cloudflare Workers (Edge Computing)

All application logic runs on Cloudflare Workers, a serverless edge platform. There are no persistent servers, no VMs to patch, and no long-running processes that could be compromised. Each request executes in an isolated V8 context that is destroyed on completion.

Turso Database (Encrypted at Rest)

Account metadata and audit records are stored in Turso (libSQL), which provides encryption at rest using AES-256. The database stores only operational data such as user accounts, API key hashes, and audit log entries. Document content is never persisted.

Geographic Data Residency

Cloudflare Workers execute at the edge location nearest to the user across 300+ data centers worldwide. For customers with data residency requirements, request routing ensures data is processed within the required geographic boundary without crossing jurisdictions.

No Persistent Server State

The serverless architecture means there is no server filesystem, no temp directories, and no background processes. Each request is stateless and self-contained. There is nothing to breach on a server because there is no server.

Authentication

Authentication & Credential Security

Passwords, tokens, and API keys are protected using industry-standard cryptographic primitives with no shortcuts.

MechanismImplementation
Password HashingPBKDF2-SHA-256 with 100,000 iterations and unique per-user salt
Session TokensJWT with 7-day expiry, signed with server-side secret
Credential ComparisonConstant-time comparison via timingSafeEqual to prevent timing attacks
API Key StorageKeys hashed with SHA-256 before storage; raw keys shown once at creation, never retrievable
Password RequirementsMinimum length enforcement, checked at registration and password change

Why PBKDF2 with 100K Iterations

PBKDF2 is a NIST-recommended key derivation function (SP 800-132). At 100,000 iterations of SHA-256, each password guess costs approximately 100ms of computation, making brute-force attacks against stolen hashes economically infeasible. Each user has a unique cryptographic salt, so identical passwords produce different hashes.

JWT Token Lifecycle

Authentication tokens expire after 7 days, balancing security with usability for compliance teams running multi-day audit workflows. Tokens are validated on every API request. There is no token refresh mechanism; expired sessions require re-authentication.

Access Control

Access Control & Rate Limiting

Every request is authenticated, authorized against the user's role and tier, and rate-limited to prevent abuse.

👥

Role-Based Access Control

Users are assigned roles (e.g., user, admin) that determine which endpoints and features they can access. Role checks are enforced server-side on every request; frontend visibility is a convenience, not a security boundary.

🔑

API Key Authentication

Programmatic access uses API keys that are SHA-256 hashed before storage. Each key is scoped to a user account and inherits that account's role and tier permissions. Keys can be revoked instantly from the account dashboard.

Tier-Based Rate Limiting

API requests are rate-limited per subscription tier to prevent abuse and ensure fair resource allocation. Rate limits are enforced at the edge before requests reach application logic, protecting against both accidental overuse and deliberate denial-of-service attempts.

🛡

Constant-Time Token Validation

All token and key comparisons use constant-time algorithms to prevent timing side-channel attacks. An invalid token takes the same amount of time to reject as a valid token takes to accept, revealing no information to an attacker.

Web Security

Web Security Standards

Every page implements enterprise-grade security headers and protections as a defense-in-depth layer.

🛡

Content Security Policy (CSP)

Strict CSP headers prevent cross-site scripting (XSS), unauthorized script injection, and data exfiltration across all pages.

📷

X-Frame-Options DENY

Clickjacking protection prevents pages from being embedded in iframes on malicious sites.

📄

X-Content-Type-Options nosniff

Prevents MIME-type sniffing attacks by forcing browsers to respect declared content types.

🔗

Strict Referrer Policy

strict-origin-when-cross-origin referrer policy limits data leakage in HTTP headers when navigating to external sites.

🔐

HTTPS with TLS 1.3

All traffic is served over HTTPS with TLS 1.3, providing forward secrecy and the strongest widely-deployed transport encryption available.

🔎

Form Tamper Detection

Payment forms include client-side tamper detection that validates amounts before submission, preventing price manipulation attacks.

Audit Trail

Tamper-Evident Audit Logs

Every action is recorded in an immutable, cryptographically chained audit log designed for regulatory examination.

Chain Hashing for Tamper Evidence

Each audit log entry includes a SHA-256 hash of the previous entry, forming a cryptographic chain. If any record is modified or deleted, the chain breaks, making tampering immediately detectable. This provides the same integrity guarantee as a blockchain without the overhead.

Immutable Log Records

Audit entries are append-only. The system has no API endpoint, admin function, or database procedure to modify or delete existing log entries. Every document analysis, login, configuration change, and API call is permanently recorded.

Exportable Compliance Records

Audit logs can be exported in structured formats for submission to regulators, external auditors, or internal compliance teams. Exports include the full hash chain so recipients can independently verify log integrity.

What Gets Logged

  • User authentication events (login, logout, failed attempts)
  • Document analysis requests (metadata only, never content)
  • API key creation and revocation
  • Account and configuration changes
  • Compliance report generation events
Compliance

Compliance Readiness

Frisby is built for organizations in regulated industries. Our architecture addresses the technical requirements of major compliance frameworks.

HIPAA-Ready Architecture

Zero data retention eliminates stored PHI risk. TLS 1.3 encryption satisfies the transmission security standard. Tamper-evident audit logs provide the accountability trail required by the HIPAA Security Rule. Business Associate Agreements (BAAs) are available for enterprise customers.

SOC 2 Type II Roadmap

We are actively pursuing SOC 2 Type II certification. Our architecture already implements controls for the Security, Availability, and Confidentiality trust service criteria: encrypted transit, immutable audit logs, role-based access, and automated monitoring.

GDPR Data Subject Rights

Because we retain zero document content, there is minimal personal data to manage. Account data supports right-to-access and right-to-erasure requests. Analytics are consent-gated with no pre-consent tracking. Data processing is transparent and documented in our Privacy Policy.

GDPR-Compliant Cookie Consent

A clear, non-deceptive cookie banner gives you full control. No pre-checked boxes, no dark patterns. Plausible Analytics and Microsoft Clarity load only after explicit consent.

Privacy Policy & Terms of Service

Clear, readable Privacy Policy and Terms of Service documents explain exactly what we do and don’t do with your data.

Payments

Payment Security

We never handle your credit card data directly. All payment processing is handled by PayPal.

💳

PayPal Secure Checkout

All transactions are processed through PayPal, which is PCI DSS Level 1 compliant — the highest level of payment security certification.

💳

No Direct Card Handling

We never see, store, or process your credit card numbers. Payment data goes directly to PayPal’s secure infrastructure.

🛡

Double-Click Protection

Form submission buttons are automatically disabled after click to prevent accidental duplicate charges.

Compliance Knowledge

Compliance Framework Knowledge

Our tools are built with deep knowledge of major regulatory and compliance frameworks. Every audit checkpoint, validation rule, and risk assessment draws from these standards.

HIPAA FINRA SEC GDPR CCPA / CPRA RESPA / TILA ISO 42001

Our 126 audit checkpoints across 6 AI agents are mapped to the requirements of these frameworks, enabling compliance teams to validate AI outputs against the standards that matter to their industry.

Responsible Disclosure

Reporting Security Vulnerabilities

We take every security report seriously. If you discover a vulnerability, we want to hear from you.

How to Report

Email security@frisbyaiops.com with a description of the vulnerability, steps to reproduce, and any relevant screenshots or proof-of-concept code.

Response timeline: We acknowledge reports within 48 hours and aim to provide an initial assessment within 5 business days.

Scope: All Frisby AI Operations services, APIs, and web properties. We ask that you avoid accessing other users' data, disrupting service availability, or publicly disclosing the issue before we have had a chance to address it.

Recognition: We credit researchers who report valid vulnerabilities (with permission) and are committed to resolving confirmed issues promptly.

Questions about security?

Contact our security team or try the platform to see these protections in action.

Start your Instant access after subscription  See Pricing →