OctanedOctaned
Trust

Security at Octaned

An overview of the controls Octaned uses to keep accounts, NDA-gated documents, and payment data safe. We're a small team — this page is honest about what we do and don't do.

Last updated · April 28, 2026

1. Transport & storage

  • TLS 1.2+ everywhere. The site is HTTPS-only with modern cipher suites. HTTP requests are 301-redirected to HTTPS.
  • Encryption at rest. The relational database (RDS Postgres) is encrypted at rest with KMS-managed keys. Uploaded documents and photos sit in an S3 bucket with default server-side encryption (AES-256).
  • Network isolation. The database is deployed in a private VPC subnet with no public ingress. Only the application fargate tasks reach it through a security-group-restricted port.

2. Authentication

  • Passwords are hashed with bcrypt (cost factor 10). Plaintext passwords are never logged or stored.
  • Sessions are 32-byte cryptographically random tokens delivered as HttpOnly, Secure,SameSite=Lax cookies. Lifetime is 30 days; rotation on logout.
  • Account recovery is email-based. We never reset a password without confirming control of the account email.

3. NDA-gated documents

  • Documents flagged as private require the requesting buyer to have signed the per-listing NDA. The check runs server-side on every download.
  • PDF downloads delivered to anyone other than the seller are watermarked with the downloader's name, email, timestamp, and listing URL stamped repeatedly across each page plus a footer band — a strong leak deterrent.
  • Every download is recorded in an audit log: which document, which user, when. Sellers see this in their listing analytics.

4. Payments

  • Payments are processed by a third-party PCI-DSS Level 1 processor. Octaned servers never see, store, or transmit primary account numbers (PANs).
  • We receive a redacted reference (last four, brand, transaction id) only after the processor confirms a successful charge.

5. Logging & monitoring

  • Application access logs (request URL, user, timestamp, IP) are retained for 90 days for security and abuse investigation.
  • NDA signing, document downloads, and stage transitions are retained for the life of the listing as part of the audit trail available to the parties.
  • We monitor authentication anomalies (impossible-travel logins, repeated-failure throttling).

6. Vulnerability reporting

We welcome responsible disclosure. Email security@octaned.us with:

  • a clear description of the issue and reproduction steps;
  • the URL or component affected;
  • any sample request/response or proof-of-concept (please don't exfiltrate data beyond what's necessary to demonstrate the issue);
  • your name (optional, for credit in our acknowledgements).

We'll acknowledge receipt within 2 business days and aim to resolve confirmed issues within 30 days, depending on severity. Please do not publicly disclose before we've had a chance to fix.

7. What we don't (yet) have

Honest limitations to set expectations:

  • No SOC 2 audit yet. We follow the practices above but haven't completed a formal audit.
  • No two-factor authentication yet. Coming. In the meantime, use a strong unique password.
  • No bug-bounty program. Reports are still welcome; we just don't pay cash bounties currently.

8. Contact

Security: security@octaned.us. General privacy questions: Privacy Policy.