Trust Center / Security Statement

Effective Date: May 15, 2026 · Operator: Service Automations LLC (CapchaCloud)

Architecture and infrastructure

• Edge-native architecture on Cloudflare’s global network — no traditional VPC, no virtual machines, no exposed ports.
• Multi-tenant isolation with per-tenant database isolation in Cloudflare D1, per-tenant origin allowlists, and per-tenant API keys.
• WORM-style storage in Cloudflare R2 for consent payloads, with cryptographic hash verification.
• Stateless compute in Cloudflare Workers with no persistent local state — eliminates entire classes of server compromise risks.

Encryption

• In transit: TLS 1.2 minimum, TLS 1.3 preferred, on all Service endpoints. HSTS enforced.
• At rest: AES-256 (provider-managed) on Cloudflare D1 and R2.
• Webhook signatures: HMAC-SHA256 with rotating secrets.
• API keys: Stored as hashed values; the plaintext key is shown only at issuance.

Access control

• Multi-factor authentication required for all CapchaCloud administrative access.
• Least-privilege principle for personnel and service-to-service credentials.
• Audit logs for administrative operations.
• Customer access via OAuth-only sign-in (no password storage); per-tenant API keys for programmatic access.

Software development lifecycle

• Version control with code review.
• Automated testing (including Stripe webhook flow, OAuth flow, capture flow, and deletion paths).
• Dependency monitoring with automated security advisories.
• Wrangler deploys with secrets isolated in Cloudflare’s encrypted secret store.

Monitoring and logging

• Request, error, and security event logging at the edge.
• Anomaly detection on authentication and capture endpoints.
• Rate limiting at multiple layers.
• Audit trail for billing events, webhook signature failures, tenant configuration changes, and Personal Data exports.

Vulnerability management

• Dependency scanning on every build.
• Responsible disclosure: contact support@serviceautomations.ai with subject “Security disclosure”. We commit to acknowledging credible reports promptly and to good-faith engagement with researchers acting under standard responsible-disclosure norms. See also security.txt and Vulnerability disclosure.
• Coordinated disclosure before public release of any vulnerability affecting Customers where feasible.

Incident response

• Documented playbook with severity classification.
• 24-hour triage window for credible reports.
• Customer notification within 72 hours of confirmed Personal Data Breach (see DPA §9), and within 30 days of confirmed PHI Breach when a BAA is in effect (BAA §4.3).
• Post-incident review and remediation tracking.

Subprocessor management

• Security due diligence at engagement.
• Periodic review of Subprocessor security posture.
• Contractual flow-down of security obligations.
• Public list: Subprocessors Policy.

Business continuity

• Reliance on Cloudflare’s globally distributed, multi-region infrastructure.
• Regular backups of D1 databases.
• R2 storage with built-in redundancy across multiple physical locations.

Status and incidents

Live status, incident history, and probes: /status.html.

Certifications and attestations

CapchaCloud is currently pre-certification for our own SOC 2 Type II report. We rely on:

• Cloudflare’s compliance posture for our infrastructure layer;
• Stripe’s compliance posture (PCI-DSS Level 1, SOC reports) for payment processing;
• our own administrative, technical, and physical safeguards described in this document and DPA Annex 2.

For SOC 2 readiness status in procurement, email support@serviceautomations.ai (subject: “SOC2 / procurement”).

Legal & privacy documents

• Terms of Service · Privacy Policy · Data Processing Addendum · Acceptable Use Policy · HIPAA BAA (enterprise execution)
• Data residency · Retention & deletion · Compliance program index

End of Trust Center statement. Last updated: May 15, 2026.