Trust
Security
Our current, real security posture — described, not decorated.
Transport and browser hardening
Every response ships a set of enforced security headers:
- HSTS —
Strict-Transport-Securitywith a two-year max-age, subdomains and preload, so browsers only ever connect over HTTPS. - No MIME sniffing —
X-Content-Type-Options: nosniff. - Referrer policy —
strict-origin-when-cross-origin, so full URLs are not leaked to other origins. - Permissions policy — camera, microphone, geolocation and payment APIs are disabled.
- Clickjacking protection —
X-Frame-Options: SAMEORIGINeverywhere except the embeddable widget routes, which are intentionally framable.
A Content-Security-Policy is currently sent in report-only mode: it observes and reports resource sources without blocking, so an enforcing policy can be built from real data rather than guesswork. A broken enforcing CSP in production would be worse than none.
No passwords
When accounts are enabled, authentication is passwordless: single-use magic links (short-lived, stored hashed) and OAuth with providers such as Google and GitHub. There is no email-and-password flow, so there are no password hashes to leak and no password reuse to inherit.
API keys hashed at rest
API keys are hashed at rest — the database stores a hash, never the raw key, so a database dump cannot be used to call the API. Keys carry a cf_ prefix for easy identification and rotation. Internal service-to- service verification uses constant-time comparison to avoid timing leaks.
Signed calculation receipts
Calculation receipts (VCC) are signed with Ed25519using the platform's standard cryptography. The private signing key exists only in the server runtime and is never exposed to the browser; the public key is what verification checks against. A signature establishes integrity and attribution to a key — it is not, by itself, proof that a result is correct. What that distinction means in practice is spelled out on the verify page.
Data minimization
IP addresses used for rate limiting and audit logging are stored SHA-256 hashed, never in the clear. Calculator inputs on the free public tools are processed to compute a result and are not tied to an account. For the full picture of what is collected and retained, see the privacy policy.
What we do not claim
We describe only measures that are actually in place. CalcFleet does not hold a SOC 2, ISO 27001 or comparable third-party certification, and we do not claim one. Where a security capability is planned but not yet live, we say so rather than imply it exists.
Reporting a vulnerability
If you believe you have found a security issue, please email privacy@calcfleet.com. Give us a reasonable window to investigate and remediate before any public disclosure. We do not currently run a paid bug-bounty program, but we appreciate responsible disclosure.