Security overview

Plain-language description of how CapchaCloud is built and operated on Cloudflare.

This page is descriptive. It is not a SOC 2 Type II report, ISO certificate, or guarantee that you will pass any audit or law.

Platform architecture (summary)

Edge compute: Cloudflare Workers for APIs, auth integration, and static dashboard assets.
Storage: R2 for vault-style objects; D1 for relational metadata; Queues for asynchronous webhooks.
Bot & abuse: Turnstile and rate limiting where configured.
Optional AI: Workers AI / gateway-backed assistants — advisory only.

Procurement teams often map vendors to trust criteria. Below is a non-exhaustive alignment map — not an assertion of audit readiness.

Theme	Our posture
Logical access	Separate admin vs tenant surfaces; API keys hashed; optional platform-scoped keys.
Change management	Infrastructure-as-code (Wrangler), versioned migrations, peer review for application changes.
Logging & monitoring	Structured Worker logs; security audit table in D1; hash-chained entries for tamper evidence on new events.
Encryption	TLS in transit to Cloudflare; provider-managed encryption at rest for bound services.
Vendor management	Subprocessor list + notice policy; reliance on Cloudflare/Stripe subprocessors’ programs.