Encryption at Rest
All tokens encrypted with AES-256-GCM
Security Overview
Fp Switchboard is designed with security at its core. This page outlines our security architecture and practices.
Security Architecture
Section titled “Security Architecture”Encryption in Transit
TLS 1.3 for all connections
Zero Trust
Every request authenticated and authorized
Audit Logging
Complete audit trail for all operations
Token Security
Section titled “Token Security”Token Encryption
Section titled “Token Encryption”OAuth tokens and API keys are encrypted before storage:
- Algorithm: AES-256-GCM
- Key Management: Keys stored in Cloudflare Workers secrets
- Per-Tenant Keys: Each organization has unique encryption keys
Token Hashing
Section titled “Token Hashing”Fp Switchboard tokens (e.g., fps_unified_xxx) are stored as hashes:
- Algorithm: SHA-256 with salt
- Lookup: First 8 characters used for fast lookup
- Verification: Full hash comparison for authentication
Token Lifecycle
Section titled “Token Lifecycle”| Stage | Security Measure |
|---|---|
| Generation | Cryptographically secure random bytes |
| Storage | Encrypted at rest, hashed for verification |
| Transmission | TLS 1.3 only |
| Revocation | Immediate, tokens cannot be “unrevoked” |
| Expiration | Configurable, default 90 days |
Network Security
Section titled “Network Security”Cloudflare Protection
Section titled “Cloudflare Protection”All traffic passes through Cloudflare:
- WAF — Web Application Firewall blocks common attacks
- DDoS Protection — Automatic mitigation
- Bot Management — Blocks automated attacks
- Rate Limiting — Prevents abuse
Dashboard Access
Section titled “Dashboard Access”The dashboard at switchboard.fpdigital.ai is protected by:
- Cloudflare Access — Identity-aware proxy
- SSO Integration — Enterprise SSO supported
- MFA Required — Multi-factor authentication enforced
Data Security
Section titled “Data Security”Data Isolation
Section titled “Data Isolation”Each organization’s data is isolated:
- Separate encryption keys
- Database-level isolation (org_id on all tables)
- No cross-organization queries possible
Data Residency
Section titled “Data Residency”- Primary: Cloudflare global network
- Audit Logs: Cloudflare R2 (configurable region)
- EU Option: Available for enterprise customers
What We Store
Section titled “What We Store”| Data Type | Storage | Encryption |
|---|---|---|
| OAuth tokens | Cloudflare D1 | AES-256-GCM |
| Fp tokens | Cloudflare D1 | SHA-256 hash |
| Audit logs | Cloudflare R2 | AES-256 |
| User profiles | Cloudflare D1 | At rest |
What We Don’t Store
Section titled “What We Don’t Store”- User passwords (SSO only)
- Raw API responses
- Personal data from connected services
- Tool call results (beyond audit summary)
Access Control
Section titled “Access Control”Authentication
Section titled “Authentication”- Dashboard: Cloudflare Access (SSO/email)
- API: Bearer token authentication
- OAuth: Per-service OAuth flows
Authorization
Section titled “Authorization”- Role-Based: User, Org Admin, Platform Admin
- Service-Level: Users can only access connected services
- Token-Level: Tokens scoped to specific services/bundles
Vulnerability Management
Section titled “Vulnerability Management”Security Testing
Section titled “Security Testing”- Penetration Testing: Annual third-party assessment
- Dependency Scanning: Automated daily scans
- Code Review: All changes reviewed before deployment
Responsible Disclosure
Section titled “Responsible Disclosure”Found a vulnerability? Email security@fpdigital.ai
- We respond within 24 hours
- We don’t pursue legal action for good-faith reports
- We credit researchers (if desired)
Incident Response
Section titled “Incident Response”Detection
Section titled “Detection”- Real-time anomaly detection
- Automated alerting for suspicious patterns
- 24/7 monitoring
Response
Section titled “Response”- Enterprise SLA: 1-hour response
- Standard SLA: 4-hour response
- Post-incident reports within 5 business days
Compliance
Section titled “Compliance”SOC 2 Type II
Certified for security, availability, and confidentiality
GDPR
Compliant with EU data protection requirements
HIPAA
BAA available for healthcare organizations
PCI-DSS
Compliant handling of payment data
See Compliance for detailed compliance information.
Security FAQ
Section titled “Security FAQ”Are my credentials safe?
Section titled “Are my credentials safe?”Yes. Your OAuth tokens are encrypted with AES-256-GCM before storage. Even if our database were compromised, the tokens would be useless without the encryption keys, which are stored separately in Cloudflare Workers secrets.
Can Fp Digital employees see my data?
Section titled “Can Fp Digital employees see my data?”No. We have technical controls preventing employee access to customer data. Audit logs track all administrative access. Access to production systems requires approval and is logged.
What happens if my token is compromised?
Section titled “What happens if my token is compromised?”- Revoke the token immediately from the dashboard
- All associated access is terminated instantly
- Generate a new token
- Review audit logs for unauthorized access
How do you handle security updates?
Section titled “How do you handle security updates?”- Critical vulnerabilities: Patched within 24 hours
- High severity: Patched within 7 days
- Routine updates: Monthly maintenance window