Security

• TLS 1.3 everywhere. HSTS preloaded on spyderapp.com and all *.spyderapp.com subdomains.
• HTTP-only, Secure, SameSite=Lax cookies for the session.
• Content Security Policy locks down which origins can serve scripts, media, and frames on the dashboard.

• All data is stored in Cloudflare D1 (SQLite) and Cloudflare R2 (object storage), both encrypted at rest with AES-256.
• Passwords are stored as bcrypt hashes only. The plaintext never touches disk.
• Session JWTs are signed with HS256 and rotated regularly.

• Customer data access requires a valid signed session cookie. Every API call validates ownership of the resource being accessed.
• Internal admin access is scoped to a small operations team, audited per access, and requires hardware-key second factor.
• Production database access is read-only by default; writes require a temporary elevation that's logged.

• Compute: Cloudflare Workers (V8 isolates, per-request sandbox).
• Database: Cloudflare D1 (SQLite, replicated to Cloudflare's edge).
• Object storage: Cloudflare R2 (S3-compatible, encrypted at rest).
• Billing: Stripe (PCI-DSS Level 1).
• Email: Resend (operational mail only).

When a customer binds a custom domain, Spyder provisions a TLS certificate automatically via Cloudflare for SaaS Custom Hostnames. Certificates are issued by Cloudflare's CA, are short-lived (≤90 days), and rotate automatically.

Daily backups of all account and site data are retained on a rolling 30-day window. Restoration is available on request — email security@spyderapp.com.

Found a security issue? Email security@spyderapp.com with details. We respond within 48 hours. We don't currently run a paid bounty but we publicly credit researchers who report in good faith and follow coordinated disclosure.

Please:

• Test only on accounts you own.
• Don't access, modify, or delete data that isn't yours.
• Don't run automated scanners that produce volume that could degrade service.
• Give us a reasonable window to remediate before publishing.

For confirmed incidents affecting customer data we notify affected customers within 72 hours, post a status update at status.spyderapp.com, and publish a post-incident report once root cause is understood.

Spyder is a young product and not yet SOC 2 audited. We design and operate against SOC 2 control objectives so an audit can be passed when the company stage warrants it. Enterprise customers can request our current control matrix.