Security

Security controls informed by ISO 27001 principles

Disclaimer: Controls are informed by ISO 27001 principles. This is not certification or audit.

DESIGN REFERENCE

ISO 27001 Alignment

Controls designed with reference to ISO/IEC 27001:2022 Annex A.

ISO 27001 Annex A Mapping

Note: This is a non-exhaustive subset of selected controls. A full Statement of Applicability (SoA) is maintained internally for enterprise due diligence requests.

Annex A Control	Implementation	✓
A.5.1 Security policies	Terms, Privacy Policy, AGB	✓
A.5.15 Access control	API key auth (X-API-Key header), rate limits	✓
A.5.23 Cloud security	EU residency, Cloudflare, TLS	✓
A.5.28 Evidence collection	On-chain attestations, DAP hashes	✓
A.8.9 Configuration mgmt	Versioned APIs, systemd, nginx	✓
A.8.13 Backup	Daily encrypted, cross-server sync	✓
A.8.15 Logging	Request IDs, access logs, monitoring	✓
A.8.20 Network security	TLS 1.2+, HSTS, CSP, firewall	✓
A.8.24 Cryptography	SHA-256, TLS, on-chain anchors	✓
A.8.26 App security	Input validation, rate limiting	✓

Security Headers

Header	Status
`Strict-Transport-Security`	✓
`X-Frame-Options`	✓
`X-Content-Type-Options`	✓
`X-XSS-Protection`	✓
`Referrer-Policy`	✓
`Permissions-Policy`	✓
`Content-Security-Policy`	✓

Enterprise API Endpoint

Dedicated Enterprise Endpoint: https://api.feedoracle.io

Feature	Details	Status
Base URL	`https://api.feedoracle.io`	✓
SSL Certificate	Edge: Cloudflare-issued · Origin: Let's Encrypt (auto-renewal)	✓
TLS Version	1.2+ enforced	✓
Rate Limit	10 req/s + burst 20	✓
Max Connections	10 concurrent per IP	✓
Data Residency	Germany (EU)	✓

Transport Security

✓ TLS 1.2+ required
✓ HTTPS enforced
✓ HSTS preload
✓ Modern ciphers only

API Security

✓ X-API-Key header auth
✓ Rate limiting per key
✓ Request ID tracking
✓ IP throttling

Data Protection

✓ GDPR-aligned controls
✓ Data residency: Germany/EU
✓ Primary storage in EU; CDN metadata may transit globally
✓ Encrypted at rest & transit

Infrastructure

✓ Hosted in Germany (netcup)
✓ Cloudflare DDoS
✓ Auto security updates
✓ Daily encrypted backups
✓ SSH key-only auth

Subprocessors

Provider	Purpose	Location
netcup GmbH	Server hosting	Germany
Cloudflare	DDoS, DNS, CDN	Global (EU config)
ISRG (Let's Encrypt)	TLS certificates	US (automated)

No customer data shared with analytics, advertising, or AI training services.

Data Retention

API request logs: 90 days, auto-purged
Evidence packs: indefinite (blockchain-anchored)
Account data: subscription + 30 days
Backups: encrypted, 7-day rolling

Key Management

ECDSA ES256K (secp256k1) signing keys for evidence packs
Keys on isolated server, not via public API
Public keys at /.well-known/jwks.json
Rotation: annual or on compromise

Incident Response

Health checks every 60s with alerts
Initial triage: within 1 hour
Customer notification: within 24h for data-affecting incidents
Post-incident review on status page

Vulnerability Disclosure Policy

FeedOracle welcomes responsible vulnerability reports from security researchers and the community.

Step	Description	SLA
1. Report	Email security@feedoracle.io with description, reproduction steps, and impact assessment	—
2. Acknowledgement	We confirm receipt and assign a tracking reference	48 hours
3. Triage	Severity assessment (Critical / High / Medium / Low)	5 business days
4. Remediation	Fix developed and tested	Severity-dependent
5. Disclosure	Coordinated disclosure after fix deployed	90 days max

Scope: All *.feedoracle.io domains, public API endpoints, and published client libraries. Out of scope: social engineering, DoS, third-party services (Cloudflare, CDN).

We do not pursue legal action against researchers acting in good faith. Please avoid accessing customer data, disrupting services, or publicly disclosing before coordinated disclosure.

Downloads

Security Controls (MD)Self-Declaration (MD)ISO Standards Trust & DORA

This is not ISO 27001 certification. Organizations responsible for own assessments.

· Trust · Standards