Hardened controls (what we run, end-to-end)
| Layer | Control | Where to verify |
|---|---|---|
| Edge | Cloudflare WAF, DDoS L3/4/7, rate-limits per route, bot management | HTTP cf-ray headers; Cloudflare dashboard |
| Transport | TLS 1.3 only, HSTS preload, OCSP stapling. Strict-Transport-Security: max-age=63072000; includeSubDomains; preload | SSL Labs A+ rating · ssllabs.com |
| Browser | Strict CSP, X-Frame-Options: DENY, Cross-Origin-Opener-Policy: same-origin, Cross-Origin-Embedder-Policy: require-corp, Referrer-Policy: no-referrer, Permissions-Policy locked down | securityheaders.com |
| Auth (web) | Session cookies with modern password hashing, token hashing at rest, and CSRF protection on all state-changing requests. | Public security testing + independent verification available on request |
| Auth (API) | Bearer API tokens hashed at rest with per-key scope and budget controls. | Public API behavior + support verification on request |
| Founder auth | 3 layers: password → email OTP → TOTP. Founder-only path; everything inside /api/admin/* requires is_founder = TRUE + a TOTP-fresh session | Audit table: founder_admin_audit |
| Database | Production data stores are private and reachable only through authenticated service boundaries. Public edge workloads use least-privilege service access, never direct open database ingress. | Architecture review available under NDA for enterprise customers |
| Substrate at rest | Per-user envelope encryption (AES-256-GCM). Plaintext substrate content is segregated from direct account identifiers in backups. | Control evidence available for customer due diligence |
| Secrets | Secrets are held in managed secret stores and rotated on a recurring schedule. No secrets are committed to source control. | Rotation policy available on request |
| Backups | Encrypted periodic backups with retention windows and routine restore testing. | Backup and restore controls validated in operations runbooks |
| Logging | Structured security logging with retention limits and sensitive-path administrative audit trails. | Operational audit controls available on request |
Reporting a vulnerability
We want to hear from you. Acknowledged within 24 hours; substantive response within 5 business days; disclosure timeline negotiated with you.
- Email — security@odahl.ai (PGP key fingerprint published in /.well-known/security.txt)
- Encrypted alternative — Signal: ask for the founder's number via the email above.
- Bounty range — $250 – $5,000 AUD depending on severity. Critical issues affecting auth, founder boundary, or substrate confidentiality top the range.
- Safe-harbour — We do not initiate legal action against researchers acting in good faith. Stay out of other people's accounts, don't exfiltrate or destroy data, give us reasonable time to fix.
Supported versions
Odahl is a single live service — there are no "versions" to keep on life-support. Every patch is rolled out to all users. Old API key formats (fdc_test_… beta keys issued before May 2026) remain valid; if we ever sunset a key format we will give 90 days' notice and roll all affected keys for free.
Threat model summary
We design against four kinds of attacker:
- Drive-by abuse — bots, scrapers, password-spray. Mitigated by layered edge protections and route-level rate controls.
- Single-account compromise — stolen cookie, leaked password. Mitigated by short session TTL, per-session TOTP gates for sensitive paths, audit log, anomaly alerts on login from new IP/UA.
- Sub-processor compromise — one of our vendors is breached. Mitigated by per-user envelope encryption (we never co-locate plaintext + identifier), no third-party model API in the runtime path, secrets rotation, principle of least privilege on every vendor.
- Infrastructure compromise — host-level compromise scenario. Mitigated by encrypted substrate storage, scoped credentials, encrypted off-site backups, and an incident-response plan that targets customer notification within 72 hours.
What is not in scope
Honesty up front:
- SOC 2 Type II — in progress; Type I targeted Q3 2026, Type II Q1 2027.
- ISO 27001 — targeting end of 2026.
- HIPAA — we are not currently a Business Associate; do not use Odahl for protected health information.
- FedRAMP — out of scope, not pursuing.
- Service-level agreements — Legendaria tier includes a 99.9% SLA with credits; lower tiers are best-effort.
Accessibility
We target WCAG 2.2 AA on marketing and product surfaces. If something blocks you from core tasks, email hello@odahl.ai — we prioritise fixes that remove hard barriers.
Contact
Security: security@odahl.ai. Privacy: privacy@odahl.ai. Founder & DPO: joe@fiduci.group.