Security Practices

1. Executive Summary

CloudRepo is a cloud-native software artifact and package repository operated by ChenPo LLC (d/b/a CloudRepo), a US-based company headquartered in Fargo, North Dakota. Founded in 2016, CloudRepo has over 10 years of operational history serving development teams who need reliable, secure artifact management.

CloudRepo is bootstrapped and founder-led. We have no outside investors, no enterprise sales teams, and no incentive to compromise on security for short-term growth. Our business model is straightforward: provide a high-quality product at fair, predictable prices.

In over 10 years of operation, CloudRepo has experienced no known security breaches. We exclusively partner with SOC 2 certified vendors for all infrastructure and services that process customer data.

2. Infrastructure Security

CloudRepo runs entirely on Amazon Web Services in the US-West (N. California) region.

Compute and Networking

• Cloud-native architecture with auto-scaling and no single points of failure
• All production infrastructure runs within AWS with managed services handling availability and redundancy

Storage

• Artifact storage: Amazon S3 with 99.999999999% (11 nines) durability. Versioning is enabled on all artifact buckets.
• Metadata and database: Amazon DynamoDB with automated backups and point-in-time recovery

Network Security

• DDoS protection: AWS Shield Standard provides baseline DDoS protection automatically across all AWS resources
• TLS: TLS 1.2+ is enforced on all connections, with termination handled at the load balancer and application level

Data Residency

• All customer data is stored exclusively in the United States

3. Data Protection

Encryption at Rest

• All S3 objects are encrypted using AES-256 server-side encryption
• DynamoDB tables use encryption at rest
• Row-level encryption is not implemented. Data is protected by encryption at rest combined with strict access controls at the application and infrastructure layers.

Encryption in Transit

• TLS 1.2+ is enforced on all connections. Unencrypted HTTP connections are rejected or redirected.

Credential Storage

• All user passwords are hashed using PBKDF2 with BLAKE2b-512, 50,000 iterations, and a 12-byte random salt per credential
• Plaintext credentials are never stored, logged, or transmitted after initial processing

Data Classification

• Customer artifacts and associated metadata are treated as confidential
• System metrics and logs are treated as internal. Logs may contain user IDs for troubleshooting purposes but are automatically purged per platform retention policies (Grafana Cloud: 30 days; AWS CloudWatch: per AWS defaults).

4. Access Controls

Production Infrastructure

• AWS Console access requires multi-factor authentication (MFA) for all users
• Production access is limited to essential personnel only, following the principle of least privilege
• No shared credentials exist for any production system; all access uses individual accounts with MFA

Source Code

• All source code is hosted on GitHub with MFA required for all contributors
• Code changes require review before merging to production branches

Access Reviews

• Access to production systems and source code is reviewed regularly to ensure appropriateness

5. Authentication

User Authentication

• Username and password authentication
• Password policy: 8 to 256 characters

Password Security

• Hashing algorithm: PBKDF2 with BLAKE2b-512
• Iterations: 50,000
• Salt: 12-byte random salt, unique per credential

Password Reset

• Token-based reset using UUID tokens
• Tokens expire after 2 hours and are single-use
• Reset emails are delivered via Postmark (SOC 2 certified)

SCIM 2.0 Provisioning

Full SCIM 2.0 implementation including:

• Users: Create, Read, Update, Delete
• User filtering and search
• ServiceProviderConfig endpoint
• Bearer token authentication

Single Sign-On

• SSO via SAML and OIDC is on our roadmap. We encourage customers to tell us which identity providers they need so we can prioritize accordingly.

6. Application Security

Development Practices

• Automated code analysis is integrated into the development workflow
• Pre-commit validation and testing gates are enforced in the CI/CD pipeline
• Comprehensive qualification testing is performed before any code reaches production
• Code review is required for all changes to production code

Vulnerability Management

• We are implementing formal automated vulnerability scanning tools in 2026
• Independent security researchers have identified and reported vulnerabilities through our security research program, and we have addressed reported findings promptly

7. Incident Response

Contact

• Dedicated security contact: security@cloudrepo.io
• We respond to security reports as quickly as possible, typically within 24 hours

Track Record

• No security incidents in the past 3 years
• No known data breaches in company history

Response Process

1. Identification — Detect and confirm the security event
2. Containment — Isolate affected systems to prevent further impact
3. Eradication — Remove the root cause
4. Recovery — Restore normal operations and verify integrity
5. Post-incident review — Document lessons learned and implement improvements

Customer Notification

• Customers are notified within 72 hours of a confirmed breach, consistent with our Data Processing Agreement

8. Business Continuity & Disaster Recovery

Data Durability

• S3 cross-region replication is configured for disaster recovery of artifact data
• DynamoDB automated backups with point-in-time recovery protect metadata and configuration

Architecture Resilience

• Cloud-native architecture on AWS managed services eliminates single points of failure
• Auto-scaling ensures availability under varying load conditions

Monitoring

• System health is monitored via Grafana Cloud with automated alerting on anomalies and threshold breaches

BCP/DR Plan

• We do not maintain a formal documented Business Continuity Plan or Disaster Recovery plan. Our cloud-native architecture on AWS managed services provides inherent resilience, and our operational procedures cover recovery scenarios.

9. Vendor Management & Subprocessors

All subprocessors are reviewed annually for compliance and appropriateness. Every vendor listed below holds SOC 2 certification.

The full subprocessor list is also published at cloudrepo.io/subprocessors.

10. Data Privacy

GDPR

• Data deletion requests are processed within 30 calendar days of a verified request
• We collect only the data necessary to provide the service (data minimization)
• A Data Processing Agreement is available upon request

CCPA

• CloudRepo is compliant with California Consumer Privacy Act requirements

General Commitments

• We do not sell customer data to third parties
• Customer data is used solely for providing and improving the CloudRepo service

11. Compliance Roadmap

CloudRepo does not currently hold formal security certifications such as SOC 2 or ISO 27001. We believe in transparency about where we are and where we are headed.

In Progress (2026)

• Formal automated vulnerability scanning tools are being implemented
• SSO support (SAML/OIDC) is on our product roadmap

Ongoing

• Continued investment in security infrastructure and operational practices
• Annual review of all subprocessor compliance status
• Regular evaluation of certification options

We evaluate certification options periodically. Currently, our focus is on maintaining strong security practices and full transparency rather than pursuing formal certifications whose cost is disproportionate to our company size.

12. Document Revision History