Security Overview
How Feedz protects your packages and data — from infrastructure and encryption to access control and responsible disclosure.
Infrastructure and hosting
Feedz is hosted entirely on Microsoft Azure. All components run within Azure's managed infrastructure, which provides physical security, network isolation, and platform-level compliance controls.
Internal systems are not exposed to the public internet. Administrative access requires multi-factor authentication and is restricted to authorised personnel only.
Encryption
All data in transit is encrypted using TLS 1.2 or higher. HTTP connections are refused — all feed URLs and portal traffic are HTTPS only. Feedz enforces HTTP Strict Transport Security (HSTS) on all endpoints.
Data at rest is encrypted using Azure Storage Service Encryption, which uses AES-256 and is managed transparently by the platform.
Sensitive configuration values such as connection strings and API keys are stored in Azure Key Vault and are never written to disk or application configuration files.
Access control
Feedz provides granular access control at the organisation and repository level. Permissions are assigned to teams, and members and service accounts belong to one or more teams. See Permissions Reference for the full permission model.
Access tokens are never stored in plain text. Feedz stores only a cryptographic hash of each token — the original value cannot be recovered from the stored hash. Only the first 7 characters are retained for identification purposes.
For automation and CI/CD pipelines, service accounts should be used instead of personal access tokens. Service account tokens are scoped to specific teams and can be revoked independently of any individual's access.
Data protection
Package files and database records are replicated across multiple Azure availability zones. Backups are stored in a separate Azure region to provide geographic redundancy.
When packages are deleted, the underlying files are moved to cold storage and held for a recovery period before permanent deletion. This protects against accidental data loss. See Package Recovery for recovery windows by plan.
Third-party services
Feedz uses a small number of trusted third-party services:
| Service | Purpose |
|---|---|
| Auth0 | User identity and authentication |
| Stripe | Payment processing and subscription management |
Payment card data is handled entirely by Stripe and never passes through or is stored on Feedz servers.
Application security
The Feedz application is developed following OWASP secure development practices. This includes protection against common vulnerabilities such as injection attacks, cross-site scripting, and cross-site request forgery.
Dependencies are regularly reviewed and updated to incorporate security patches.
Responsible disclosure
If you discover a security vulnerability in Feedz, please report it to security@feedz.io. Include as much detail as possible — steps to reproduce, affected endpoints, and any supporting evidence.
Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and address it. We will acknowledge your report promptly and keep you informed of progress.