1 Overview
Security is a core design principle of Beezifi Storage, not an afterthought. This policy describes the technical and organizational controls we have implemented to protect your data, prevent unauthorized access, and respond to security incidents.
Every organization on Beezifi Storage is fully isolated. No other tenant can access your files, buckets, API keys, or audit logs through any application interface, database query, or internal tool.
This policy applies to all users of the Beezifi Storage platform and complements our Privacy Policy and Terms of Service.
2 Data Isolation
Each organization operates in a completely isolated namespace. All files, buckets, objects, API keys, permissions, team members, and audit logs are scoped to a unique organization identifier. There is no shared data layer between organizations.
- All database queries are parameterized and scoped to the authenticated organization ID
- File storage is organized under per-organization directory namespaces
- API responses never include data belonging to other organizations
- Beezifi employees do not access organization data except when required by law or at explicit written request for support purposes, and all such access is logged
3 Authentication & Access Control
Password Security
User passwords are hashed using bcrypt with a work factor of 10 before storage. Plain-text passwords are never stored, logged, or transmitted. Password reset flows use short-lived, single-use tokens.
Session Management
Authentication sessions use JSON Web Tokens (JWTs) signed with a server-side secret. Tokens are transmitted via HTTP-only cookies or Authorization headers. Tokens have a configurable expiry and cannot be used after expiry.
Two-Factor Authentication (TOTP)
All users can enable TOTP-based two-factor authentication. TOTP secrets are encrypted at the application layer before storage. Once 2FA is enabled, a valid TOTP code is required for every login. Organization owners are encouraged to require 2FA for all team members.
Role-Based Access Control
Three roles govern access within an organization:
- Owner — full control including billing, members, policies, and all data
- Admin — can manage buckets, files, policies, and API keys; cannot manage billing or members
- Member — read and write access to files; subject to per-bucket permission policies
Permissions can be further restricted at the bucket level via policy rules (allow/deny per action per user).
API Keys
API keys are generated with a public access key and a secret key. Secret keys are shown only once at creation time; thereafter, only a SHA-256 hash is stored. API keys can be revoked at any time from the dashboard.
Rate Limiting
Authentication endpoints (login, registration, password reset) are rate-limited to prevent brute-force attacks. Excessive failed attempts result in temporary lockout.
4 Encryption in Transit
All communication between clients and Beezifi Storage is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. HTTP Strict Transport Security (HSTS) is enforced to prevent protocol downgrade attacks.
File uploads and downloads, API requests, signed URL access, and the dashboard itself all operate exclusively over encrypted connections. We do not support unencrypted HTTP access for any data operations.
5 Signed URLs
Signed URLs allow temporary, scoped access to private files without exposing your API credentials. Each signed URL includes:
- A cryptographic HMAC-SHA256 signature tied to the specific file path, HTTP method, and expiry timestamp
- A configurable expiry time (set at generation time)
- Scoping to a specific HTTP method (GET, PUT, etc.) — a download URL cannot be used for upload
Signed URL generation and access events are recorded in the organization's audit trail. An expired or tampered signed URL is rejected with a 403 error.
Public buckets allow unauthenticated access to files and are opt-in. By default, all buckets are private and require authentication or a valid signed URL.
6 Audit Trail
Beezifi Storage maintains an append-only audit log for every organization. The following events are automatically recorded:
Upload, download, delete, move, rename
Generation, access via signed URL, public access
Sign-in, sign-out, failed login attempts
Member changes, permission policy updates, API key creation/revocation
Each audit log entry captures the actor (user ID or API key ID), IP address, user agent, timestamp, action type, affected resource, and a JSON payload with relevant context. Audit logs are accessible to owners and admins and can be filtered and paginated from the dashboard.
Audit logs are retained for up to 2 years and cannot be deleted by organization users.
7 Infrastructure Security
- Database ports are not exposed to the public internet; only the application server can connect to the database
- Network segmentation separates application, database, and storage layers
- Dependencies are regularly audited for known vulnerabilities using automated scanning
- Infrastructure access is restricted to authorized personnel with MFA required for all administrative access
- Database backups are encrypted and stored separately with restricted access
- Server access logs are retained for security investigation purposes
8 Application Hardening
The Beezifi Storage application is built with defense-in-depth principles:
- HTTP security headers — Helmet.js enforces Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, HSTS, and Referrer-Policy on every response
- SQL injection prevention — all database queries use parameterized statements; raw string interpolation into queries is never used
- CORS policy — cross-origin requests are restricted to the configured application origin
- Input validation — all API inputs are validated and sanitized at the controller layer before processing
- File upload security — file content type and size are validated; storage paths are sanitized to prevent directory traversal
- Default-deny permissions — access to buckets and files is denied by default and must be explicitly granted via role or policy
- Multipart upload integrity — ETag checksums are verified during multipart upload completion
9 Incident Response
In the event of a security incident affecting your data, Beezifi will:
- Isolate the affected organization or infrastructure component within the shortest possible timeframe
- Conduct an assessment to determine the scope, nature, and cause of the incident within 72 hours of discovery
- Notify affected organizations by email within 72 hours of confirming that their data was or may have been accessed or compromised
- Provide a written summary of findings and remediation steps taken
- Cooperate with regulatory authorities as required by applicable law
To report a suspected security incident affecting your account, contact security@beezifi.com immediately.
10 User Responsibilities
Security is a shared responsibility. As an account owner or administrator, you are responsible for:
- Enabling two-factor authentication (TOTP) for your account and encouraging team members to do the same
- Using strong, unique passwords and not reusing credentials from other services
- Keeping your API keys confidential and revoking keys that are no longer needed or may be compromised
- Reviewing team member access and removing members who no longer require it
- Auditing permission policies on buckets containing sensitive data
- Reporting suspicious activity or unauthorized access to security@beezifi.com
- Not sharing account credentials or signed URLs beyond their intended audience
11 Vulnerability Disclosure
We take security research seriously and welcome responsible disclosure of vulnerabilities. If you discover a security issue in Beezifi Storage, please:
- Email a detailed report to security@beezifi.com
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
- Do not access, modify, or delete data belonging to other organizations
- Give us reasonable time to investigate and remediate before public disclosure
We will acknowledge your report within 2 business days and keep you informed of our progress. We do not take legal action against researchers acting in good faith under this policy.
Security Contact
Email: security@beezifi.com
Acknowledgment: within 2 business days
Please include: affected endpoint, reproduction steps, potential impact