Security

Data Encryption

All communication between the Crafting Sandbox system and the Internet is encrypted via HTTPS and TLS 1.2 or above. Internal communication between user workloads and the system is encrypted via mTLS, with certificates verified mutually by both parties.

HTTP services exposed to the Internet from user workloads always use HTTPS and TLS 1.2 or above, and are protected by a Single Sign-On system by default.

All user data is encrypted at rest using mechanisms provided by the cloud provider (Google Cloud). For self-hosted deployments, the encryption policy is determined by the configuration of the self-hosting account.

Highly sensitive information — including user-provided secrets and keypairs — is encrypted and secured in Vault, sealed using the Key Management System provided by the cloud provider.

Vulnerability Scanning

Continuous vulnerability scanning is applied to all components used internally by the system, and findings are addressed through an internal remediation process.

Availability

User information is stored in multiple replicas in real time, and the storage service includes automatic failover. Data generated in user workloads is backed up using the cloud provider's default configuration. Explicit deletion of data by users is not covered by this backup.

Third-Party Auditing

Third-party security experts are engaged to perform penetration tests on an annual basis.

Internal Controls

All full-time employees are required to complete security training. All personnel with access to the production system undergo background checks.