A security product has to be secure, first.

Data residency

StyloBot runs entirely inside your environment - Docker, Kubernetes, bare metal, or the YARP reverse-proxy gateway embedded in your ASP.NET Core app. No request payloads, raw IPs, or detection decisions are sent to stylobot.net. The only data that ever reaches us is billing / licensing metadata when you interact with the customer portal.

Privacy-aware signal design

The default pipeline transforms raw identifiers before durable storage. Raw IPs and other identity-bearing fields are HMAC-SHA256 hashed with a per-deployment key. User agents may be stored after PII stripping so the runtime can perform richer parsing, version analysis, and dashboard grouping without keeping arbitrary header content. The blackboard that detectors write to carries derived signals (request.ip.is_datacenter, detection.useragent.confidence) rather than raw request payloads.

See Mostlylucid.BotDetection/docs/blackboard-and-pii.md in the OSS repo for the full signal catalogue.

Pipeline trace & audit trail

StyloBot does not just store a final bot score. Each detection event can carry the real decision trace from the pipeline: normalized raw signals, derived signals, detector contributions, confidence deltas, reason strings, signature factors, aggregation output, risk band, and the policy action that was selected.

The dashboard event store lets operators inspect why a request was allowed, throttled, challenged, or blocked without reconstructing the decision from logs. Response headers can expose a compact reason summary when enabled; the dashboard keeps the richer operational trace.

On the commercial tier, configuration changes and endpoint overrides are tracked alongside the detection trace, so teams can connect "what policy was active" with "why this request received this action." Customer portal events such as license issuance, team changes, and token downloads land in an immutable license_audits table for SOC 2 evidence.

Encryption

TLS 1.2+ everywhere - customer portal terminates at Caddy with automatic Let's Encrypt certificates. Portal database uses Postgres native TLS. License tokens are Ed25519-signed; the vendor private key lives in a secrets vault (HashiCorp Vault / AWS KMS / Azure Key Vault) and is never exposed to application memory beyond the signing call.

Authentication

The customer portal authenticates via Keycloak 26, with MFA (TOTP) available and optionally required. External identity providers (Google, Microsoft, GitHub) plug in at the realm level. For the self-hosted product, OSS ships ASP.NET Core Identity (local accounts + MFA); commercial tiers unlock OIDC relying-party configuration so you bring your own IdP - Keycloak, Azure AD, Okta, Auth0, Google Workspace. Enterprise adds SAML 2.0 + SCIM.

Compliance posture

• GDPR: the detection pipeline is designed to minimize personal data persistence through HMACed identifiers, stripped user agents, derived signals, and customer-controlled deployment keys. Portal customer data (email, org name) is covered by standard DPA.
• SOC 2 Type II: in progress - audit log, change management, and access control infrastructure in place; auditor engagement scheduled.
• Data processing agreements: on request for commercial customers.

Responsible disclosure

Report security issues to [email protected] with your PGP-encrypted report. We acknowledge within 48 hours, ship a fix or workaround within 14 days for critical issues, and credit reporters in the release notes unless asked otherwise. No lawyers, no NDAs required for good-faith research.

Incident history

None reported. We'll publish post-mortems publicly when they happen - every security product has incidents eventually, and honest disclosure is part of how we earn the trust we're asking for.