Security Disclosure v1.0
Security Contact: admin@autodigitalcoin.com
Response Time: 24-72 hours for critical vulnerabilities
1. Security Architecture
1.1 Stateless Design
- No PII or wallet addresses stored
- No transaction data retention
- Aggregated telemetry only (90-day retention)
- Minimal attack surface
1.2 Infrastructure
- Cloud Provider: AWS (us-east-1, ap-southeast-2)
- Compute: AWS Lambda (serverless, isolated execution)
- Storage: DynamoDB (encrypted at rest), S3 (static assets)
- API Gateway: AWS API Gateway with WAF
- Secrets: AWS Secrets Manager (no hardcoded credentials)
2. Encryption
2.1 In Transit
- TLS 1.2+ for all API traffic
- HTTPS enforced (no HTTP)
- CloudFront CDN with TLS termination
2.2 At Rest
- AWS KMS: Encryption for DynamoDB and S3
- API Keys: Hashed with bcrypt (not reversible)
- Secrets: AWS Secrets Manager with automatic rotation
3. Authentication and Authorization
3.1 API Key Authentication
- Header:
x-api-key: YOUR_API_KEY
- Keys hashed and stored securely
- Rate limiting per key
- Sandbox endpoints: No key required (IP-based rate limits)
3.2 IAM Policies
- Least-privilege access for Lambda functions
- No public S3 buckets (CloudFront only)
- Secrets Manager read-only access for Lambdas
4. Rate Limiting and DDoS Protection
4.1 Rate Limits
| Tier |
Limits |
| Sandbox |
10/min, 100/hour, 500/day per IP |
| Starter |
2,500/month per API key |
| Professional |
10,000/month per API key |
| Enterprise |
50,000/month per API key |
4.2 DDoS Protection
- AWS WAF: Layer 7 protection
- CloudFront: Layer 3/4 protection
- AWS Shield Standard: Automatic DDoS mitigation
5. Vulnerability Management
5.1 Responsible Disclosure
If you discover a security vulnerability:
- Email: admin@autodigitalcoin.com
- Subject: "Security Vulnerability - zkOrigoPlus"
- Include: Description, steps to reproduce, impact assessment
- Do NOT publicly disclose until we confirm a fix
5.2 Response Timeline
- Critical: 24-72 hours acknowledgment, 7-14 days fix
- High: 48-96 hours acknowledgment, 14-30 days fix
- Medium/Low: Best-effort response
5.3 Bug Bounty
No formal bug bounty program. Acknowledgment provided for responsible disclosures.
6. Incident Response
6.1 Detection
- CloudWatch alarms for anomalies
- WAF logs monitoring
- Manual security reviews (quarterly)
6.2 Response Process
- Incident detection and triage
- Containment (disable affected endpoints if needed)
- Investigation and root cause analysis
- Remediation and patching
- Post-incident review (for major incidents)
6.3 Notification
- Status page updates: zkorigoapi.com/status
- Email notifications for paid subscribers (if data breach)
- No notification for minor incidents (no PII stored)
7. Compliance and Certifications
7.1 Current Status
zkOrigoPlus does NOT currently hold:
- SOC 2 Type II
- ISO 27001
- PCI DSS
7.2 AWS Compliance
Infrastructure inherits AWS certifications:
- SOC 1/2/3
- ISO 27001/27017/27018
- PCI DSS Level 1
- GDPR compliance
8. Third-Party Dependencies
8.1 External RPC Providers
Service queries public blockchain RPCs. Security NOT under our control:
- eth.llamarpc.com
- blockstream.info
- polygon-rpc.com
- horizon.stellar.org
- xrplcluster.com
- mainnet-public.mirrornode.hedera.com
8.2 Payment Processor
- Stripe: PCI DSS Level 1 certified
- No credit card data stored by zkOrigoPlus
9. Data Security
9.1 What We Store
- Aggregated telemetry (90 days)
- API key metadata (hashed)
- Technical logs (7 days)
9.2 What We Do NOT Store
- Wallet addresses or private keys
- Transaction hashes
- PII or identity documents
See Privacy Policy for details.
10. Security Best Practices for Users
- API Keys: Never commit to Git or expose publicly
- Environment Variables: Store keys securely (e.g., AWS Secrets Manager)
- HTTPS Only: Always use HTTPS endpoints
- Rate Limits: Implement client-side rate limiting
- Error Handling: Do not log API keys in error messages
11. Known Limitations
- Single-region infrastructure (no active-active failover)
- External RPC dependency (outages possible)
- No enterprise-grade incident response (startup-tier)
- No 24/7 security monitoring
12. Security Roadmap
Planned improvements (no timeline guaranteed):
- SOC 2 Type II certification
- Multi-region redundancy
- Formal bug bounty program
- Penetration testing (annual)
13. Contact
Security Issues: admin@autodigitalcoin.com
General Support: support@zkorigoapi.com