What we hold, what we don't.

The platform's analytics and access-log capture is minimised by design. The privacy contract is the same set of rules at every tier:

• No IP addresses persisted in analytics rollups. Per-site logs retain the IP for a 30-day rolling window for abuse-investigation; it is never copied into the long-term analytics store.
• No User-Agent strings persisted in analytics rollups. Browser-fingerprintable fields stay out of the rollup substrate.
• No query-string capture. Analytics records the path and the response status; the query string is dropped at ingest.
• Aggregate rollups only. The public projection at /v1/public/status carries platform-level totals; per-site rollups are scoped to the site owner's authenticated session.
• No third-party trackers on yo.urspace.net or on platform-served customer sites by default. Customers can add their own; the platform never injects them.

• SOC 2 Type II. Annual audit covering security, availability, confidentiality, and privacy. Report available on request after a signed NDA. Anchor framework is NIST 800-53; the control set is published in the customer dashboard for active accounts.
• GDPR + CCPA. Data Processing Agreement (DPA) included by default for all paid tiers; available on request for Free-tier accounts that need it. Subprocessor list below is the canonical reference for sub-processor disclosure.
• Region-locked deploys. Enterprise-tier customers can pin a site's bundle storage and edge-function execution to a specific geographic set. Default tiers replicate to every region the platform operates in.
• DNSSEC. Every zone the platform is authoritative for is signed; KSK + ZSK rotate on automated schedules. Customers using delegated zones can opt in via their registrar's DS-record interface.

• TLS by default. Every customer-facing endpoint serves over HTTPS. ACME-issued certificates rotate every 60 days; bring-your-own certs are served unmodified.
• At-rest encryption. Bundle storage is encrypted with AES-256-GCM keys rotated quarterly. Per-region keys; cross-region access requires the calling region's KMS pull.
• Distributed tracing. OpenTelemetry traces flow through the proxy, the edge runtime, and the API tier. Every request is reachable by trace ID for 45 days. Customer-side tracing is opt-in per route.
• Chaos-testing. Quarterly fault-injection exercises drive a region into a 'degraded' state to confirm dashboard, alert, and routing behaviour matches the documentation. Post-exercise reports land in the public status page.
• Hermetic-image gating. Production images are built from pinned digests; deploys to production require the gate's pre-flight check. Reproducible from the released git commit at any point in the support window.

Third parties that may process customer data on our behalf. This list is the canonical reference; changes go through a 30-day notice window before a new subprocessor enters the production path. Customers on paid tiers can subscribe to the subprocessor-changes RSS feed at /trust/subprocessors.rss.