Security
Security is a core design principle of Tiny Owl, not an afterthought. This page describes the technical and organisational measures we use to protect your data and your applications.
Our Commitment
Lorem ipsum dolor sit amet, consectetur adipiscing elit. We apply industry-standard security controls at every layer of the stack β from the way we store credentials to the way your SDK signs event payloads β and we continuously review and improve our security posture.
We do not store sensitive data we do not need. We do not share your data with third parties beyond the processors listed in our Privacy Policy. In the event of a breach affecting your personal data, we will notify you within 72 hours as required by applicable law.
Security Practices
Authentication
JWT tokens are stored exclusively in HTTP-only cookies, making them inaccessible to JavaScript and protecting against XSS attacks.
Event Ingestion Security
All event ingestion requests are signed with HMAC-SHA256 using your project secret. Each request includes a timestamp and a unique cryptographic nonce, preventing replay attacks and tampered payloads.
Encryption at Rest
Project secrets are encrypted with AES-256-GCM. Key derivation uses PBKDF2 with 100,000 iterations and SHA-512, providing strong protection against brute-force attacks.
Encryption in Transit
All traffic between clients and the Tiny Owl API is encrypted using TLS (HTTPS). Plaintext HTTP connections are rejected.
Role-Based Access Control
Access to your organisation's data is governed by RBAC with three roles: Owner, Team Admin, and Member. Each role has a strictly scoped set of capabilities.
Audit Logging
Every sensitive account action is logged with the acting user's ID, role, IP address, user agent, timestamp, and the before/after state of changed resources.
Rate Limiting
All API endpoints are rate-limited to prevent abuse, denial-of-service attacks, and credential-stuffing attempts.
Secret Exposure Control
Project secrets are displayed only once β at creation or when explicitly regenerated. They are stored as hashed values and cannot be retrieved after initial display.
CSRF Protection
A CSRF protection token (tiny_owl_csrf) is issued alongside the session cookie to prevent cross-site request forgery attacks on authenticated endpoints.
Data Handling Summary
| Data type | How itβs stored |
|---|---|
| Passwords | bcrypt hash β never stored in plaintext |
| Project secrets | AES-256-GCM encrypted; shown only once at creation |
| API keys | Hashed; rotatable from the dashboard at any time |
| Session tokens | HTTP-only cookie; not accessible to JavaScript |
| Event data | Stored per your plan's retention window, then deleted |
| Billing details | Handled by Stripe β not stored on our servers |
Vulnerability Disclosure
Lorem ipsum dolor sit amet, consectetur adipiscing elit. If you discover a security vulnerability in Tiny Owl, we ask that you report it to us privately before public disclosure so we can investigate and release a fix.
Please report security issues to: info@np011.se
We aim to acknowledge all reports within 48 hours and to provide a fix or mitigation within a reasonable timeframe depending on severity.
Security questions?
If you have questions about our security practices or need to report a concern, please reach out.
Contact us