Security & Infrastructure
Last updated: February 2026 · Version 1.1
Compliance overview
| Regulation | Status | How it is enforced |
|---|---|---|
| GDPR (EU) | Compliant | No IP storage · DNT respected · Erasure via account deletion · SET NULL FK anonymisation · 90-day analytics retention |
| CCPA / CPRA (CA) | Compliant | No data selling · Right to delete · Right to know · First-party analytics only |
| PCI-DSS | Out of scope | No card data ever reaches our servers. Dodo Payments (certified PCI-DSS Level 1 processor) handles all card capture. |
| SOC 2 aligned | Aligned | 28 named guardrails · CI gate enforcement · Immutable audit logs · Access control at route + resource layer |
| TLS / HTTPS | Enforced | Traefik + Let's Encrypt (auto-renewing). HTTP redirected to HTTPS. TLS 1.2 and 1.3 only. |
Payment security
All payments are processed by Dodo Payments, a PCI-DSS Level 1 certified payment processor. Card numbers, CVVs, and bank details are captured entirely on Dodo's hosted checkout page and never transmitted to our servers.
We store only opaque processor references (a customer ID and subscription ID) that cannot be used to initiate charges or access card details. Billing events are verified by HMAC-SHA256 signature before any account change is made.
Our payment event log is append-only — no record is ever modified or deleted. Every state change is permanently auditable.
Infrastructure
- PostgreSQL and Redis are not publicly reachable — internal Docker network only
- Traefik is the single public ingress point; all other ports are closed
- Backend runs as non-root user (UID 1000); frontend runs as UID 1001
- No privileged containers
- At-rest encryption: managed by the hosting provider (AES-256)
- In-transit encryption: TLS 1.2/1.3 enforced at Traefik
- Secrets never appear in source code, Docker images, or logs
- Database backups are encrypted
Analytics privacy model
Our engagement analytics (open and click tracking) are built without collecting any personal identifiers beyond a pseudonymous account UUID.
The tracking pixel endpoint always returns the same 43-byte GIF regardless of any parameter. Logging happens asynchronously after the response is sent. Redis deduplication and a database UNIQUE constraint together guarantee that no single newsletter open can produce more than one row in the database.
The click redirect endpoint validates destination URLs before redirecting. Private IP ranges, loopback addresses, and internal hostnames are rejected to prevent use as an open redirect to internal services.
Responsible disclosure
If you discover a security vulnerability, please report it to security@inklessdaily.com. We will acknowledge receipt within 24 hours and aim to resolve critical issues within 7 days.