Infrastructure
Frontend: Static HTML/JS · Netlify Edge Functions: Netlify serverless · Node.js Database: Google Firebase Firestore Storage: Google Firebase Storage Auth: Ghost CMS + Firebase custom tokens Secrets: Google Cloud Secret Manager AI: Multi-provider LLM abstraction Data region: US · EU · Asia Pacific (Pegasus)
Security controls
- Per-tenant data isolation. Every Pegasus client gets their own Firebase project. Member data never shares infrastructure with another client. A bug in one tenant cannot affect another.
- Firestore security rules. Every database read and write is validated against the authenticated user's UID. Members can only access their own data. Server-side collections like the AI queue are completely locked to client access.
- Google Cloud Secret Manager. All API keys — Ghost, Anthropic, and client LLM keys — are stored in Google Cloud Secret Manager with full audit trails. Raw keys never touch Firestore or client-side code.
- Rate limiting. Every function that calls an external API is rate limited per authenticated user via Upstash Redis. A compromised account cannot abuse the platform or run up API costs.
- Prompt injection defense. All user input is sanitized before being injected into AI prompts. Every system prompt includes an injection defense header. Member content cannot manipulate the AI coach's behavior.
- Security headers. All responses include Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers. Clickjacking, MIME sniffing, and data leakage are mitigated at the network layer.
- Audit logging. All sensitive operations — badge actions, admin changes, data deletions, API key rotations — are written to an append-only audit log. Clients cannot modify or delete audit entries.
- GDPR right to erasure. Members can request deletion of all personal data at any time. Journal entries, goals, badges, and profile data are permanently deleted. Chat messages are anonymized. The request is logged in the audit trail.
- CMEK for enterprise. Enterprise Pegasus clients can provide their own Google Cloud KMS key ring. Their Firestore data is encrypted with their key — not Google's. They can revoke access by deleting their key at any time.
- States, European Union, or Asia Pacific. EU clients' data never leaves Europe. This is enforced at the Firebase project level, not as a policy.
- Multi-provider LLM abstraction. Clients bring their own AI API key. Hapitalist never sees it in plaintext — it goes directly to Secret Manager. Clients can use any supported provider including HIPAA-eligible options (AWS Bedrock, Azure OpenAI) when available.
- Hapitalist.com serves ads. Your community's member data lives in your own Firebase project and is never used for advertising or shared with third parties. We use cookies — see our cookie policy for details.
Threat model
- Tenant isolation breach — Separate Firebase projects per client + Firestore security rules with clientId token claims
- Credential exposure — All keys in Google Cloud Secret Manager. No raw keys in Firestore, logs, or client-side code
- Prompt injection — Input sanitization strips injection tokens. System prompt defense header on every AI call
- API abuse — Per-user rate limiting on all LLM endpoints via Upstash Redis
- XSS — Content-Security-Policy headers + HTML escaping on all user-generated content
- CSRF — Ghost session cookie verification on every function call
- Calendar injection — All ICS fields sanitized — newlines, colons, semicolons stripped from user-provided content
Reporting a vulnerability
If you discover a security vulnerability, please report it responsibly. We take all reports seriously and will respond within 48 hours.
Need a security review for your organization?
Enterprise Pegasus clients receive a full security architecture brief, CMEK support, and dedicated review. Get in touch.