From 198d5cf3816bf98ca92b4e58dde8d341627bc84d Mon Sep 17 00:00:00 2001 From: Manas Srivastava Date: Thu, 14 May 2026 12:41:05 +0530 Subject: [PATCH] docs: publish trust docs to correct repo (fix 404 on /docs/public/* + /.well-known/*) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PRs #3 and #4 on InstaNode-dev/web shipped these 7 files, but that repo has no GitHub Pages config. The publishing surface for instanode.dev is this repo (InstaNode-dev/instanode-web) — Pages source is main, path /, CNAME instanode.dev. Vite copies public/ verbatim into dist/ which Pages serves. Re-publishing the 7 files under public/docs/public/ + public/.well-known/ so the URLs Persona4 (InfoSec) and Persona2 (hobby dev) actually hit return 200. Files (all from the original landed-but-wrong-repo PRs, content unchanged except security.txt Expires bumped from 2027-05-13 → 2027-05-14): public/.well-known/pgp-key.txt (4096-bit RSA, fpr E950B348C79A...) public/.well-known/security.txt (RFC 9116) public/docs/public/dpa.md (controller-to-processor DPA + SCCs) public/docs/public/subprocessors.md (DigitalOcean, Razorpay, Brevo, etc.) public/docs/public/breach-notification.md (72h commitment + template) public/docs/public/security.md (bug-bounty intake + safe harbor) public/docs/public/trust-residency.md (NYC3 today, EU on roadmap) Verified locally: npm run build produces all 7 files under dist/ at the correct paths. --- public/.well-known/pgp-key.txt | 52 ++++++++ public/.well-known/security.txt | 8 ++ public/docs/public/breach-notification.md | 68 +++++++++++ public/docs/public/dpa.md | 138 ++++++++++++++++++++++ public/docs/public/security.md | 99 ++++++++++++++++ public/docs/public/subprocessors.md | 42 +++++++ public/docs/public/trust-residency.md | 111 +++++++++++++++++ 7 files changed, 518 insertions(+) create mode 100644 public/.well-known/pgp-key.txt create mode 100644 public/.well-known/security.txt create mode 100644 public/docs/public/breach-notification.md create mode 100644 public/docs/public/dpa.md create mode 100644 public/docs/public/security.md create mode 100644 public/docs/public/subprocessors.md create mode 100644 public/docs/public/trust-residency.md diff --git a/public/.well-known/pgp-key.txt b/public/.well-known/pgp-key.txt new file mode 100644 index 0000000..d64c131 --- /dev/null +++ b/public/.well-known/pgp-key.txt @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGoFUmMBEADr1mZl0PKIKWNxWMawp/TguRQw80ocTMl8VcdiPBhp7hLl9sXx +emFjyZ8RP5c/5LwMmKleGD3Kqu6R8jUoIBJEOXktUXqEO9dA7g3+PsB+ulPyuyg8 +HrIAARkh4Gybp5tf19TdZn0lDWooXVuqleOcsbOtqMRpvxoFbPRo+LsgPiOCnDU/ +cniSqGN+nvBhwqtRl0E2VZTQD3EODMJmQZ7KAInU9zGba3xYqqxPPt2VSLiDNZFd +xvvb7lq/UnNSjSZ4/eZVrOq2WR3jCvSpB69McBA5Qlf+StRBhq5smmTERhIpRV0H +bmN3gRI7GwLqYyWG5zjWKIE2HmUqYTRiKSknre/RwzqOcpCYVdDuBjmnBT6A0525 +ZKhAOD8JYAcVZJdfESyUPrM8WdhvOoD2Uf0iKqNFs2Fyc85UXIk+vL4sM8tv4PM3 +rQbVlGwgcj0CL7IHzE3vkpMT3/Jg12bQecxR9QLXtNnPmb/NXjUU2r2Qvl0BnB6d +plpdJz2bK0U0KUeypYdHMLvxeIyyFFgKePuEvq9AL3QxdMT8oCjy+RXEh3fgOr2l +LZNQIzxVxYRJLNsZTrI599LfiRnhNlHvdxXuDxO4X4G9FCRUPvHj1wMOrv14PmcL +kLL5+sRhbbMmUYZ3DgnV0tP+WxwfJtBqBLjy6WzNrFp/4IwcjeWwHuLi4wARAQAB +tC9pbnN0YW5vZGUuZGV2IHNlY3VyaXR5IDxzZWN1cml0eUBpbnN0YW5vZGUuZGV2 +PokCVwQTAQoAQRYhBOlQs0jHmn6GeGenauwgZwQupLwjBQJqBVJjAhsDBQkDwmcA +BQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEOwgZwQupLwj950P/A0jq8YW +a5qk/OkSEPM4QGBlz1JQtFEJOKoPGRR9G00aGkCiJFCUGszTHvqnRcb+2iQtuyZg +zEQ/CIkA4jgjJ/S9pgL73dSkJ19k+8sQetz2/VfDUU96q97LrpczbVeJ/roGogPh +pV2QzuZKzhCZMEUHaS2uf33VKq6cIhpRr7MTRtbyWmfzgplPu0IJkWENjfvcuGsB +0Bgaaw1j7RC/VK9Y0p6wcvKvlOirlKL0GW09uEeglBqpZlpWriSSoHK5VfTdY1XD +38nv7uO22FttUCf9pY15bItnTDNdnEbkJziRKvd70oj6AgqtNB3VyOrccTxwRpEu +ndWHuzZjnd/GRhDZ2A2qcKXHdQGT84gblbKbDYWHJLpmeWPhRHlZe8A7XHWbigCg +Lm2mj01ZHgC43NQ0TGFNKtRMBGWe9h0uDU4iJZEK1yJdUm3vFUO/EXUlGD1yHoQG +kwJELfmqMZ6dg2mwQWsdtDvZGarM0+7u05kjwf9L4UfXy8HpOAD6bzYWfNWgTVJZ +gZ8bI8VjysIy8lB68IsXboLEwgF6/OzN00SQ8RCFN/Dg+Mn8zMs2hgn1qwcCM9XI +kDpE/ZJgYqLyH4jnMWhh3NzCI58bqdfzk77AEZg8o+xNPPN7bHIop7WJ4svx5SFP +j8jXisZdx8xGrdjsbGfkQdUYmVzp8i55F3aKuQINBGoFUmMBEACjXsiQ9xIc7xT0 +utCytoC6bTximzIjoHLCFYJKei4fDkOFyk+jXdPwaPXNWvzU+BfnuaN2aoPjthaV +9KybkBq1SwdIz3iEbqZWWhpMWGIVOOFyBhYFVos2mVcEW8R7/t4K9cPd4VhwS0SO +Hoa5uTjwrqCjIsw/PXfPxMQYIUuhEpfjFiMaLq9K98DOBN4gypU4slyGt0kazMcD +Kl4vmZC4wfPJmTR+4F2SV1oPX06wb5ShfruJrgUceQlN8LL1uKR0cmNrYUQy+wbE +qQGs5lKTTf2nhm8iiA7tOXmtb8wlgJB5ChgDTnyDivbucm9daFnEDmOQ/lJGmrK3 +g1TQF2KpJ/pjodywL0bwzWetA85UG0W2bzfR3/RJItEyDS3JdacXR0l1Q/omphCe +UeETT8lW20yneRvUVTpZtyT5VOFRNnDLvqbTFg+kFWFyx+DjjUDNFRjByhl+FjRx +zppcQ93nsJCd8/1YNeAYLwcx76oPH5+ImrobTsFgaGr4gIsM5Gx44i8Eln0zGb+M +X7pPPTXm2vszxImfZiqwiB4x/wQr3P8e8UbQGBV6H4Lc3SsWckM3/xu2rn+nQmVW +lKH9TVprxcHm06A0dqJnSOq3GMvd+stbw872Hrsgy2lreB6Y12ebaipa0EF4OVkh +4RdI2ilJw5aZMTmfAW9jNKfdjGMukQARAQABiQI8BBgBCgAmFiEE6VCzSMeafoZ4 +Z6dq7CBnBC6kvCMFAmoFUmMCGwwFCQPCZwAACgkQ7CBnBC6kvCPCPg/+Mry5RHjc +21UjunDj3s9hpS1iTqJSvLD7H/eoo97qLtNm8RjE9px+lt3bmMbCJNABYuIOwSsm +i2Jr8p/qC+DXk8MNUeKnVc4kByVdihEndEPg8Hd10ssfAKLtItMEilQK4jLAKKGH +ytzTTAnDa068NhswoM0OkQxk+0phXcGP52pSOpJ0PsskKMk4ob7szatBzzyXwWgV +56Jd17hmyuToLV2sLQ32F4G+MG1OZFLNl/xxaR9xrBjEEYBKiur97nrJYzZqfdhF +0dEsdzjR7Vmi/jcvkO6MRomw5NWqhBsJU1sB550U/qF6UB3TN804uA1Y7WDGb3ii +LTTF5537Qy1PM1YrpCQePOlJ/DpbNHzLHCxuLtMIyDj7SLZ4A6VqvYy1wUZF3kCe +ofiR+sJuls+nC+j6vKVouHyfK2PzlsV9VCTmCjq3OCEL4gUN9GskhXqxZPfYccma +xImnuzRiTkCssdI1HXvXEsew3M7Ws3l05DC2R1gXU4GWV5LagtxcT/ahfxPJ2yBY +5uXfmnT2U4RlK2HiWh5FpgUPn9gF1Y0oyWHZhfYtprxHIbfsjhp2j+NjxFB+tKh+ +tFzuC1kemWbQ41LoZHKpcnYiW7OXxy3x76bYCgKt35l3i4rF1eoBz1iIWbg8tr2e +lGtkElvQZvlSyEha5qOOi593Mf6gwlxq/vc= +=DfMh +-----END PGP PUBLIC KEY BLOCK----- diff --git a/public/.well-known/security.txt b/public/.well-known/security.txt new file mode 100644 index 0000000..a2f7ecc --- /dev/null +++ b/public/.well-known/security.txt @@ -0,0 +1,8 @@ +Contact: mailto:security@instanode.dev +Expires: 2027-05-14T00:00:00Z +Encryption: https://instanode.dev/.well-known/pgp-key.txt +Acknowledgments: https://instanode.dev/docs/public/security +Preferred-Languages: en +Canonical: https://instanode.dev/.well-known/security.txt +Policy: https://instanode.dev/docs/public/security +Hiring: https://instanode.dev/jobs diff --git a/public/docs/public/breach-notification.md b/public/docs/public/breach-notification.md new file mode 100644 index 0000000..f005b15 --- /dev/null +++ b/public/docs/public/breach-notification.md @@ -0,0 +1,68 @@ +# Breach Notification Commitment + +Last updated: 2026-05-13. + +This page is incorporated by reference into the [Data Processing Agreement](./dpa.md) and into our standard customer terms. It states our standing commitment to notify customers of personal-data breaches affecting their data. + +--- + +## Our commitment + +If we become aware of a personal-data breach affecting your data, we will notify you without undue delay, and in any event within 72 hours of becoming aware, in accordance with Article 33(2) of the GDPR. + +The notification will include, to the extent known at the time and supplemented as the investigation progresses: + +- The nature of the breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal-data records concerned. +- The name and contact details of the contact point where more information can be obtained. +- The likely consequences of the breach. +- The measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects. + +Where it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay. + +--- + +## "Becoming aware" + +For the purpose of the 72-hour clock, we consider ourselves to have "become aware" at the point at which we have a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. A brief period of internal investigation to establish that certainty is permitted under the European Data Protection Board's [Guidelines 9/2022 on personal data breach notification](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en) and does not by itself start the clock. + +Where an event is genuinely ambiguous and the customer is in a better position than we are to assess impact, we will share what we know promptly even before the clock formally starts, so the customer can begin their own investigation. + +--- + +## How we will reach you + +We send breach notifications by email to the account contact on record and to any additional security-contact addresses you have registered with us. Customers on the Team tier may register a dedicated security-incident email address by writing to `privacy@instanode.dev`. + +We do not rely on dashboard banners as the primary notification channel for breaches, because an account may not be opened in time. + +--- + +## What you should do + +When you receive a notification from us: + +1. **Acknowledge receipt** to the address from which the notification was sent, so we can confirm delivery on the clock. +2. **Designate an incident contact** on your side. We will treat them as the channel for follow-ups. +3. **Cooperate on containment.** The notification will include any steps we recommend you take on your end — for example, rotating credentials, revoking active sessions, or pausing a specific deploy. +4. **Coordinate downstream notification.** If the breach affects your end users, we will work with you on the joint communication plan, including timing and content, and will not announce the breach publicly before you have had a reasonable opportunity to notify your own customers — unless required to do so by law or by a supervisory authority. + +We will document the breach internally and provide you with a written post-incident report covering root cause, timeline, customer impact, and remediation. + +--- + +## Recent incidents + +| Date | Summary | Customers affected | Status | +|---|---|---|---| +| — | No customer-affecting incidents reported to date. | — | — | + +This table is updated whenever a customer-affecting incident occurs. + +--- + +## Related documents + +- [Data Processing Agreement](./dpa.md) +- [Subprocessor list](./subprocessors.md) +- [Security disclosures and reporting](./security.md) +- [Trust and residency](./trust-residency.md) diff --git a/public/docs/public/dpa.md b/public/docs/public/dpa.md new file mode 100644 index 0000000..1f37957 --- /dev/null +++ b/public/docs/public/dpa.md @@ -0,0 +1,138 @@ +# Data Processing Agreement + +> This DPA template is provided for customer review. To execute a signed instance for your organization, contact `privacy@instanode.dev`. The version published on this page is the contractually-binding template — signing follows the standard process described under "Execution" below. + +Last updated: 2026-05-13. + +--- + +This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement or equivalent services agreement (the "Agreement") between the customer ("Controller") and instanode.dev ("Processor") for the provision of the instanode.dev platform (the "Services"). It is entered into pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR") and applies wherever the Processor processes personal data on behalf of the Controller. + +In case of conflict between this DPA and the Agreement, this DPA prevails with respect to data-protection matters. + +--- + +## 1. Subject Matter and Duration + +The subject matter of the processing is the provision of managed developer infrastructure (databases, caches, object storage, message queues, webhook receivers, application deployments, and adjacent platform services). The duration of the processing is the term of the Agreement plus any post-termination retention period set out below. + +## 2. Nature and Purpose of Processing + +The Processor processes personal data only to provide, secure, support, and bill for the Services, and only on documented instructions from the Controller. Documented instructions include the Agreement, this DPA, the Controller's use of the Services' configuration surfaces, and any subsequent written instructions the Controller gives the Processor. + +## 3. Categories of Personal Data + +The Processor may process the following categories on behalf of the Controller: + +| Category | Source | Purpose | +|---|---|---| +| Account identifiers (email, name, organization) | Controller's sign-up | Account management | +| Authentication metadata (OAuth subject, hashed session tokens) | Sign-in flow | Authentication | +| Application content stored in customer-provisioned resources | Controller's applications | Service operation | +| Operational telemetry (request logs, error traces, performance metrics) | Service operation | Reliability, security, support | +| Billing metadata (plan, invoice IDs, transaction amounts; never card data) | Payment processor | Billing | + +The Controller acknowledges that the content stored in customer-provisioned resources is controlled, populated, and classified by the Controller; the Processor does not inspect it except where strictly necessary to operate, secure, or recover the Service. + +## 4. Categories of Data Subjects + +Data subjects may include the Controller's: +- Employees, contractors, and agents who hold accounts on the Service. +- End users of applications the Controller deploys or operates on the Service. +- Any other natural persons whose personal data the Controller chooses to process through the Service. + +## 5. Obligations of the Processor + +The Processor will: + +1. Process personal data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do otherwise by Union or Member State law to which the Processor is subject. +2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation. +3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Annex B). +4. Assist the Controller, by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for the exercise of data-subject rights under Chapter III of the GDPR. +5. Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor. +6. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless retention is required by Union or Member State law. +7. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this clause and Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the audit terms in Section 9. + +## 6. Sub-processor Authorization + +The Controller provides a general written authorization for the Processor to engage sub-processors to assist in providing the Services. The current list of sub-processors is published at [/docs/public/subprocessors](./subprocessors.md). The Processor will: + +- Maintain the published list as the authoritative record. +- Notify the Controller by email at least 30 days before adding or replacing a sub-processor. +- Permit the Controller to object to a new sub-processor during that window; if the parties cannot agree on a mitigation, the Controller may terminate the affected Services without penalty for the remainder of the prepaid term. +- Impose data-protection obligations on each sub-processor that are no less protective than those in this DPA. + +## 7. International Transfers — Standard Contractual Clauses + +Where the Processor or any sub-processor processes personal data outside the European Economic Area, the United Kingdom, or Switzerland in a jurisdiction not benefiting from an adequacy decision, transfers are governed by the Standard Contractual Clauses ("SCCs"). + +By signing this DPA, the parties incorporate the SCCs published at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en (Commission Implementing Decision (EU) 2021/914, Module Two — Controller to Processor), with this DPA's Annex A serving as the SCC Annex (Annex I.A, I.B, I.C, II, and III). Where the United Kingdom International Data Transfer Addendum or the Swiss FDPIC equivalent applies, the parties incorporate those instruments by reference and treat references to "the GDPR" as references to the UK GDPR or the Swiss FADP, as applicable. + +The Processor commits to the supplementary measures described in Annex B (encryption in transit and at rest, key isolation, access controls, logging) to address the risks identified by the European Data Protection Board in its post-Schrems II guidance. + +## 8. Data Breach Notification + +The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a personal-data breach affecting the Controller's data. The Processor's standing commitment, the definition of "becoming aware," and the content of breach notifications are set out at [/docs/public/breach-notification](./breach-notification.md), which is incorporated into this DPA by reference. + +## 9. Audits + +The Controller has the right, upon reasonable prior written notice and not more than once per twelve-month period (except following a confirmed breach affecting the Controller's data), to audit the Processor's compliance with this DPA. The Processor will satisfy audit obligations by providing: + +1. The Processor's then-current security documentation and trust page (`/docs/public/trust-residency`). +2. Independent third-party attestations once available (SOC 2, ISO 27001, or equivalent). +3. Written responses to a reasonable security questionnaire (CAIQ or equivalent). + +On-site audits are available for Team-tier customers under a separate Mutual NDA and at the Controller's cost, scheduled to avoid unreasonable disruption to the Services or other customers. + +## 10. Liability + +Liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. The Processor's aggregate liability under or in connection with this DPA is capped at the amount set in the Agreement; nothing in this DPA limits any liability that cannot be limited under applicable law. + +## 11. Termination + +This DPA terminates automatically with the Agreement. Upon termination, the Processor will, at the Controller's choice, delete or return all personal data within 30 days, unless retention is required by Union or Member State law, in which case the Processor will continue to protect the data under the obligations of this DPA until deletion. Backups containing personal data will be overwritten in the ordinary course of the Processor's backup-rotation schedule (90 days maximum). + +## 12. Execution + +This DPA becomes binding upon the earlier of (a) electronic countersignature via the link provided after a written request to `privacy@instanode.dev`, or (b) the Controller's continued use of the Services after publication of this DPA where the Agreement expressly incorporates the published DPA by reference. Either party may request a paper-signed counterpart; the Processor will provide one within 10 business days. + +--- + +## Annex A — Description of Processing + +This Annex serves as Annex I to the SCCs. + +- **Data exporter:** the Controller, as identified in the Agreement. +- **Data importer:** instanode.dev, the Processor. +- **Categories of data subjects:** as in Section 4. +- **Categories of personal data:** as in Section 3. +- **Sensitive data:** none processed by default. Controllers must not store special-category data (GDPR Article 9) on the Service without a prior written addendum. +- **Frequency:** continuous. +- **Nature and purpose:** as in Sections 1 and 2. +- **Retention:** for the term of the Agreement plus the deletion timeline in Section 11. +- **Sub-processors:** as published at [/docs/public/subprocessors](./subprocessors.md). +- **Competent supervisory authority:** the supervisory authority of the Controller's lead establishment, or where the Controller is outside the EEA, the supervisory authority of the EU Member State in which the Controller's EU representative is located. + +## Annex B — Technical and Organizational Measures + +| Domain | Measure | +|---|---| +| Encryption in transit | TLS 1.2 or higher for all customer-facing and inter-service traffic | +| Encryption at rest | AES-256-GCM for credentials; provider-side encryption for managed-disk volumes | +| Access control | Role-based access; least-privilege defaults; multi-factor authentication required for production operator access | +| Network isolation | Customer workloads run in segregated environments; egress controlled | +| Logging and audit | Operational logs retained for security investigations; access logs reviewed on incident | +| Key management | Platform secrets generated with cryptographically secure RNGs; rotation supported without service interruption | +| Vulnerability management | Disclosed via [/docs/public/security](./security.md); patch cadence aligned with severity | +| Backup and recovery | Platform-managed backups on a 90-day rolling window; customer-controlled export at any time via the Service API | +| Personnel | Confidentiality obligations in employment terms; background checks where lawful | +| Incident response | 72-hour customer notification commitment per Section 8 | + +--- + +## Related Documents + +- [Subprocessor list](./subprocessors.md) +- [Security disclosures and reporting](./security.md) +- [Breach notification commitment](./breach-notification.md) +- [Trust and residency](./trust-residency.md) diff --git a/public/docs/public/security.md b/public/docs/public/security.md new file mode 100644 index 0000000..32c6d0f --- /dev/null +++ b/public/docs/public/security.md @@ -0,0 +1,99 @@ +# Security Disclosures + +Last updated: 2026-05-13. + +This page is the canonical location for reporting security issues to instanode.dev. It is referenced from [`/.well-known/security.txt`](/.well-known/security.txt) per RFC 9116. + +--- + +## Reporting a vulnerability + +Email `security@instanode.dev`. + +For sensitive reports, encrypt with our PGP key. + +- Fingerprint: `E950B348C79A7E867867A76AEC2067042EA4BC23` (RSA 4096, expires 2028-05-14) +- Public key: [`/.well-known/pgp-key.txt`](/.well-known/pgp-key.txt) + +Include in your report: + +- A clear description of the issue and its impact. +- Steps to reproduce, ideally with a minimal proof of concept. +- The affected URL, endpoint, version, or commit if known. +- Your name or handle for credit, and whether you wish to be acknowledged. + +Please do not file public GitHub issues for security reports. + +--- + +## Response SLA + +| Stage | Target | +|---|---| +| Acknowledgment of receipt | Within 48 business hours | +| First status update | Within 5 business days | +| Triage and severity rating | Within 10 business days | +| Fix or mitigation plan | Communicated with the triage outcome; timeline depends on severity | +| Public disclosure | Coordinated with the reporter, typically after fix and customer notification | + +Business hours are 09:00–18:00 IST, Monday through Friday, excluding Indian public holidays. + +--- + +## Scope + +In-scope assets: + +- `instanode.dev` and its subdomains (`*.instanode.dev`), including the marketing site, dashboard, and API. +- Customer-facing application URLs hosted on the deployment platform (`*.deployment.instanode.dev`), when the issue is in the platform itself rather than customer code. +- Official client libraries and CLI distributed by instanode.dev. + +Out-of-scope: + +- Third-party services we use as sub-processors. Report those directly to the service. See the [sub-processor list](./subprocessors.md). +- Denial-of-service findings that rely on volumetric load. +- Social engineering of staff, customers, or sub-processor support teams. +- Physical attacks against any facility. +- Findings that require already-privileged access on the victim machine. +- Best-practice issues without a demonstrable security impact (e.g., missing low-impact headers on static pages). +- Vulnerabilities in customer-deployed application code; report those to the customer that operates the application. + +--- + +## Safe Harbor + +We authorize good-faith security research conducted within this scope and policy. While conducting research, please: + +- Avoid privacy violations, degradation of the Service, and destruction of data. +- Do not pivot beyond the minimum proof of concept needed to demonstrate impact. +- Do not exfiltrate customer data. If you accidentally encounter customer data, stop, do not retain or share it, and report the finding immediately. +- Use only your own accounts or accounts you have explicit written permission to test. + +If you make a good-faith effort to comply with this policy during your research, we will consider your research authorized, will not pursue civil action or initiate a complaint to law enforcement, and will work with you to understand and resolve the issue quickly. + +--- + +## Bug-bounty status + +Today we run an informal disclosure program: bounties are paid case-by-case, scaled to severity and quality of the report. A more formal program through HackerOne or Bugcrowd is targeted for onboarding in Q4 2026. + +Until then, reporters are eligible for cash awards at our discretion plus public acknowledgment if desired. + +--- + +## Recognition + +Researchers who submit valid reports under this policy are credited below with their permission. + +| Date | Researcher | Summary | +|---|---|---| +| — | — | No reports acknowledged yet. | + +--- + +## Related documents + +- [`/.well-known/security.txt`](/.well-known/security.txt) +- [Breach notification commitment](./breach-notification.md) +- [Data Processing Agreement](./dpa.md) +- [Trust and residency](./trust-residency.md) diff --git a/public/docs/public/subprocessors.md b/public/docs/public/subprocessors.md new file mode 100644 index 0000000..808c909 --- /dev/null +++ b/public/docs/public/subprocessors.md @@ -0,0 +1,42 @@ +# Subprocessors + +Last updated: 2026-05-13. + +This page lists the sub-processors instanode.dev engages to provide the Service. It is the authoritative record referenced by the [Data Processing Agreement](./dpa.md) and by Cloud Security Alliance CAIQ Section H responses. + +--- + +## Current sub-processors + +| Sub-processor | Role | Data categories processed | Region | DPA in place | SCCs / transfer mechanism | +|---|---|---|---|---|---| +| DigitalOcean | Compute, container orchestration, and DO Spaces object storage hosting customer workloads and data at rest | Customer application data; customer compute workloads; resource credentials encrypted at rest | United States (NYC3 today; eu-west planned) | Yes | Yes — EU-US Data Privacy Framework certified | +| Razorpay | Payment processing (subscription, invoicing, dunning) | Billing metadata: email, plan tier, transaction amounts and timestamps. Card data is tokenized by Razorpay and is never transmitted to or stored by instanode.dev. | India and global | Yes | Standard Contractual Clauses (Module Two) | +| Brevo (formerly Sendinblue) | Transactional email — welcome, upgrade confirmations, payment receipts, dunning notices, deletion-request acknowledgments | Email address; first name | European Union | Yes | Not applicable — EU residency | +| GitHub | OAuth sign-in | GitHub username; primary email; public profile | United States | Yes | Yes — EU-US Data Privacy Framework certified | +| Google | OAuth sign-in | Email address; given name; family name | United States | Yes | Yes — EU-US Data Privacy Framework certified | +| New Relic | Observability — logs, traces, metrics | Operational telemetry; may incidentally include customer identifiers (account UUIDs, email addresses) in error contexts | United States | Yes | Yes — EU-US Data Privacy Framework certified | +| Amazon Web Services (SES bounce handling) | Email-deliverability webhooks (bounce, complaint, suppression) | Masked recipient addresses; delivery status codes | United States | Yes | Yes — EU-US Data Privacy Framework certified | + +--- + +## Change notification + +We notify all customers via email at least 30 days before adding or replacing a sub-processor. Customers may object during that window. If the parties cannot agree on a mitigation, the affected customer may terminate the Service for the remainder of the prepaid term without penalty. + +To subscribe a different email address for sub-processor change notices, contact `privacy@instanode.dev`. + +--- + +## Removed sub-processors + +None to date. + +--- + +## Related documents + +- [Data Processing Agreement](./dpa.md) +- [Breach notification commitment](./breach-notification.md) +- [Security disclosures and reporting](./security.md) +- [Trust and residency](./trust-residency.md) diff --git a/public/docs/public/trust-residency.md b/public/docs/public/trust-residency.md new file mode 100644 index 0000000..86906c8 --- /dev/null +++ b/public/docs/public/trust-residency.md @@ -0,0 +1,111 @@ +# Data Residency and Trust + +This page tells you where your data lives, how durable it is, what compliance posture instanode.dev has today, and what we do not yet support. It is written to be useful during a security review. If you need something that is not on this page, email `security@instanode.dev` or `privacy@instanode.dev` and we will answer. + +This page is kept current. The date at the bottom of this document is the last time we reviewed it end-to-end. + +--- + +## Where your data lives + +Today, all production infrastructure runs in a single US-east region. Compute runs on redundant US-east managed infrastructure. Object storage runs in `nyc3` on DigitalOcean Spaces. Every customer database — Postgres, Redis, MongoDB — and every object-storage bucket you provision through instanode.dev is co-located in that same region. + +There is no customer-pick region selector today. If your data needs to live outside US-east for legal, compliance, or latency reasons, instanode.dev is not yet the right platform for you. See the roadmap below. + +--- + +## What regions we offer today + +| Region | Status | Available on | +|---|---|---| +| US-east | Live | All tiers | +| EU-west (eu-west-1) | On roadmap, no committed date | Team tier only | +| India (ap-south-1) | On roadmap, no committed date | Team tier only | + +If a future region would unblock you, write to [enterprise@instanode.dev](mailto:enterprise@instanode.dev) and tell us which region and roughly when you would need it. We use that signal to prioritize. + +--- + +## Durability + +### Object storage + +Object storage is backed by DigitalOcean Spaces, which is an S3-compatible service. DigitalOcean publishes an object durability target of 99.999999999% (eleven nines) with in-region replication. We do not currently replicate object data across regions. + +Anonymous-tier object data is auto-deleted at 24 hours via an object-store lifecycle rule, not just via our application logic — so the deletion is enforced at the storage layer. + +### Postgres, Redis, MongoDB, vector databases + +Customer databases are backed up via snapshot. Snapshot retention by tier: + +| Tier | Snapshot retention | +|---|---| +| Anonymous | None — resources are deleted at 24h | +| Hobby | 7 days | +| Pro | 30 days | +| Team | 90 days | + +Customer-initiated restore from a snapshot is rolling out for Pro and Team tiers. Until that surface is live, restore is operator-assisted — open a ticket at `support@instanode.dev` with the resource ID and target timestamp. + +### Vault + +Secrets stored in the vault are encrypted at rest with AES-256-GCM. The data-encryption key is held outside the resource store. Key rotation is supported. Plaintext values are not returnable from any read endpoint once set — you can update or reference the value, but you cannot fetch the plaintext back through the API. + +--- + +## Egress IPs + +Outbound traffic from instanode.dev deploy infrastructure leaves from a pool of egress addresses. If you operate a firewall, IP allowlist, or third-party API that needs to see a stable source range, the current CIDR list is: + +| CIDR | Purpose | +|---|---| +| `152.42.154.144/32` | Primary egress for compute, builds, webhooks, and outbound API calls | + +If you need notification before any of these change, subscribe to the changelog (see [`/changelog`](/changelog)) or email `security@instanode.dev`. + +A few honest caveats: + +- We do not commit to static egress IPs on the Hobby tier. The pool may change without notice. +- On the Team tier, a dedicated egress IP is available on request through `enterprise@instanode.dev`. +- These are best-effort published ranges, not a contractual guarantee, unless you are on a Team-tier contract that calls them out. + +--- + +## Compliance posture + +We aim to say only what is true. Here is what is true today. + +| Framework | Status | +|---|---| +| SOC 2 Type II | In progress. Target completion Q3 2026. Audit firm not yet selected. We do not have a SOC 2 report to share today. | +| HIPAA | Not supported. We do not sign Business Associate Agreements today. If you need a BAA, email `enterprise@instanode.dev` so we can scope a Team-tier engagement and tell you whether and when we can support it. | +| GDPR | Today, instanode.dev is not a suitable controller-of-record for EU resident PII. All infrastructure is US-only, and we do not yet offer Standard Contractual Clauses. EU customers requiring an EU data residency posture should wait for eu-west-1. | +| PCI-DSS | We do not handle cardholder data. Payment processing runs through Razorpay. Do not store card numbers in instanode.dev resources. | + +If you are on a procurement call that requires a compliance answer not listed here, contact `security@instanode.dev` and we will tell you the truth instead of dodging. + +--- + +## How to file a data-handling concern + +| Reason | Email | +|---|---| +| Security disclosure or suspected vulnerability | [security@instanode.dev](mailto:security@instanode.dev) | +| Data-handling, privacy, or subject-rights request | [privacy@instanode.dev](mailto:privacy@instanode.dev) | +| Enterprise security review, custom region, BAA inquiry | [enterprise@instanode.dev](mailto:enterprise@instanode.dev) | + +We respond within 48 business hours. Coordinated disclosure for security issues is welcome — send a description, reproduction steps, and your preferred handle for credit. + +--- + +## Related documents + +- [Data Processing Agreement](./dpa.md) +- [Subprocessor list](./subprocessors.md) +- [Security disclosures and reporting](./security.md) +- [Breach notification commitment](./breach-notification.md) +- [`/.well-known/security.txt`](/.well-known/security.txt) + +--- + +_Last reviewed: 2026-05-13._