Practical security controls, current trust disclosures, and no trust theater.

Encrypted transport

Traffic to Corral is served over HTTPS with TLS, and HSTS is enabled so browsers continue to prefer secure connections after the first visit.

Encryption at rest

Database and disk storage are encrypted at rest by the hosting and database providers. Key management is handled at the infrastructure layer.

Default-deny perimeter

Production hosts use a default-deny firewall posture and expose only the network access required to operate the service.

Hardened administrative access

Interactive root SSH access is disabled, and repeated SSH abuse is blocked automatically to reduce the chance of successful credential guessing.

Minimal exposed surface

We keep the public surface area narrow by binding app services to loopback and stripping unnecessary service metadata at the proxy.

Rate-limited form endpoints

The public lead and contact form endpoints enforce per-IP request limits in the application layer to make repeated submission abuse less productive.

Security headers

Responses include a content security policy, frame-denial headers, MIME sniffing protection, strict referrer controls, and a restrictive permissions policy.

Submission validation

Public forms use honeypot fields, required-field checks, and basic email validation before data is accepted.

Escaped notification rendering

Form content is HTML-escaped before it is rendered in notification emails, so submitted content is handled as data rather than rendered markup.

Low-fingerprint responses

We disable framework-identifying headers such as X-Powered-By, and the public lead and contact endpoints keep server error responses intentionally minimal.

Structured operational records

Lead and contact workflows use structured database operations rather than ad hoc SQL in request handlers.

First-party analytics path

Browser-side analytics use a first-party /ingest path, while server-side events use PostHog's configured backend host.

Current geographic posture

Corral does not currently target EU users, and the current analytics configuration points at PostHog's US service.

Least-privilege operator access

Production server access is limited to a single named operator account. The application runs under a dedicated unprivileged user with no interactive login.

No shared credentials

Each operator authenticates with individual SSH keys. There are no shared passwords or group accounts for production access.

Restricted data access

Operator access to customer data is limited and restricted to operational or security needs.

Key-only authentication

Password-based SSH authentication is disabled. Access requires a pre-authorized key pair, and repeated failed attempts are blocked automatically.

Detection

We monitor service health, error rates, and access patterns. Unexpected behavior triggers investigation.

Response

Confirmed incidents are triaged by severity. Affected systems are isolated and remediated before restoring service.

Notification

If a security incident affects customer data, we notify affected customers within 72 hours of confirmation.

Used as the database for product data, including Hallucination Guard documents and related records.

Used for lead and contact workflow records through structured database operations.

Used to deliver operational email for lead and contact workflows initiated through Corral.

Used to process analytics events so we can understand traffic, page usage, and the performance of site calls to action.

Used to host corral-ai.app and the supporting systems that keep the site available.

SOC 2 Type II

Planned as the customer base and operational scope justify a formal assurance program. We do not claim SOC 2 certification today.

Third-party penetration testing

Planned as part of the next stage of external validation. Internal misuse-oriented testing informs controls today, but independent penetration testing is still on the roadmap.