Security
How we protect your data
All data is encrypted in transit using TLS 1.3. API endpoints enforce HTTPS and reject insecure connections.
All stored data (analysis metadata, account data) is encrypted at rest using AES-256.
Raw log content submitted for analysis is processed in-memory and never written to disk.
API keys are hashed using SHA-256 HMAC. We never store plain-text keys and display them only once at generation.
All admin actions, member changes, and API key operations are logged (Enterprise plan).
We are currently undergoing SOC 2 Type II certification. Expected completion 2026.
Responsible disclosure
If you discover a security vulnerability, please email security@errorlens.ai with a detailed description. We will acknowledge your report within 24 hours and aim to resolve confirmed vulnerabilities within 30 days. We do not pursue legal action against good-faith security researchers.
Security Audit Summary
Last audit: March 2025
| Test | Status | Details |
|---|---|---|
| XSS (Cross-Site Scripting) | ✅ Protected | React JSX auto-escapes output. Invoice and email HTML use explicit escHtml() / esc() sanitization. dangerouslySetInnerHTML is used only for hardcoded JSON-LD structured data — never for user input. |
| SQL / NoSQL Injection | ✅ Protected | Parameterized statements via Neon serverless driver. No raw SQL string interpolation. |
| CSRF (Cross-Site Request Forgery) | ✅ N/A | Authentication uses Bearer tokens (JWT in localStorage), not cookies. CSRF attacks require cookie-based auth — Bearer token auth is inherently CSRF-safe. |
| Brute Force (Login) | ✅ Protected | Account locks after 5 failed login attempts for 15 minutes. API rate limits: Starter 30 req/min, Pro 60 req/min, Team 120 req/min, Enterprise 300 req/min. |
| Password Security | ✅ Enforced | Minimum 8 characters, must contain letter + number. Bcrypt hashing (cost 12) in production. No plain-text storage. |
| Data Leakage | ✅ Mitigated | Raw logs processed in-memory only — never persisted. API keys displayed once at creation. No third-party analytics. |
| Transport Security | ✅ Enforced | TLS 1.2+ required. HSTS with 1-year max-age. All external resources loaded over HTTPS. |
| CSP (Content Security Policy) | ✅ Configured | CSP delivered via HTTP response headers in next.config.ts. script-src is limited to 'self' with the 'unsafe-inline'/'unsafe-eval' relaxations Next.js currently requires for hydration; we plan to move to nonces. frame-ancestors: 'none' (clickjacking). |
| Sensitive Data in localStorage | ⚠ Acceptable Risk | Integration API tokens stored in localStorage (client-side only). Cleared on logout. Not transmitted to ErrorLens servers. |
| API Key Exposure | ⚠ Architecture Note | In demo mode, API key is sent from browser. Production deployments should proxy API calls through a server-side endpoint. |
| 2FA | ✅ Available | TOTP-based two-factor authentication available on all plans via Settings → Security. |
| Session Management | ✅ Secure | JWT stored in localStorage; Bearer token sent on every API request; cleared on logout. |