Security

Overview

Ampliflare manages your Cloudflare resources on your behalf, so the security of your account and your data is the core of the product. This page answers the questions teams usually ask during a vendor or risk review and points to the documents we can share.

Our security posture

Ampliflare is a lean, bootstrapped team, so the company does not hold independent SOC 2 or ISO 27001 certifications, and we'd rather be straightforward about our current stage. The core infrastructure is built entirely on Cloudflare, which is SOC 2 Type II and ISO 27001 certified.

The following controls are in place:

• Data encryption: credentials are encrypted with AES-256-GCM, with the encryption key isolated from the data it protects.
• Append-only audit logs: administrative actions and configuration changes in customer environments are recorded in permanent, timestamped audit logs.
• Access control and identity management: production access is restricted to authorized personnel, requires multi-factor authentication (MFA), and is subject to routine access reviews.
• Secure CI/CD pipeline: every change must pass automated lint, type-check, and dependency vulnerability scanning before it can merge, and runs in a staging environment ahead of production.
• Minimal data path: your account data and Cloudflare resources stay within Cloudflare. Supporting subprocessors are limited to error monitoring and usage analytics, all disclosed below.

Cloudflare publishes its SOC 2 and ISO certifications through its Trust Hub, also accessible from your own Cloudflare account. To support vendor risk assessments, we provide a written description of the infrastructure architecture and complete standard security questionnaires such as the CAIQ or SIG.

System architecture

Ampliflare runs natively and entirely on Cloudflare's global network. We do not operate independent servers or data centres, and there is no intermediate cloud environment in the data path between you and your infrastructure.

The platform is built on Cloudflare's edge computing model across these core components:

• Application and edge logic: the dashboard and API run as Cloudflare Workers at the network edge. The API acts on your resources directly using the tokens you provide, which keeps latency and attack surface low.
• Asynchronous processing: background tasks such as cleanup and synchronization run on Cloudflare Workflows, isolating long-running operations and guaranteeing retry safety.
• Persistent storage: metadata, audit logs, and configuration are stored in Cloudflare D1 (SQL database). Snapshots and monitoring history are isolated in Cloudflare R2 object storage.
• Edge monitoring: availability and uptime checks are distributed across Cloudflare's network, coordinated by stateful Durable Objects.
• Identity and session management: authentication is built on Better Auth, a vetted session-management framework. Credentials are never stored in plain text; passwords are protected with a strong, salted cryptographic hash, and sessions are isolated at the application layer.
• Status pages: customer-facing status pages are provisioned through Cloudflare for SaaS, delivered at the edge under custom domains.

Sensitive asset management (Cloudflare tokens)

API tokens are the most sensitive assets you entrust to Ampliflare, and we manage their lifecycle with strict cryptographic and operational controls.

• Cryptographic protection: tokens are encrypted at the application layer with AES-256-GCM (authenticated encryption), using a unique, cryptographically random initialization vector per entry, before they are written to persistent storage. The storage schema is versioned to support zero-downtime rotation of the encryption scheme.
• Secret isolation: the 256-bit encryption key is held as a Cloudflare Worker secret, separate from the database that holds the ciphertext.
• In-memory decryption: tokens are decrypted only in memory, scoped to the execution of the authorized operation that needs them.
• Least privilege and revocation: Ampliflare operates only within the permissions your Cloudflare API token grants. Revoking the token in your Cloudflare dashboard terminates all platform access immediately. Your Ampliflare dashboard session is separate from token authorization, so revoking a token does not end an active session; sign out to do that.
• Logging: tokens are never written to our application logs.
• Functional scope: tokens are used solely to carry out the operations you initiate or configure.
• No third-party sharing: tokens are never disclosed, shared, or transferred to any third party.

Tenancy, isolation, and residency

Ampliflare uses a multi-tenant architecture with logical data separation. Account metadata, configuration, API tokens, and append-only audit logs are bound to a specific account identifier, and database queries run within the verified account context, so each tenant's data stays isolated from others.

Your stored data (account metadata, configuration, tokens, audit logs, and snapshots) lives only in Cloudflare's network, using D1 and R2, and is not copied to storage outside Cloudflare. We do send operational data to a few supporting services: error and performance monitoring to Sentry (configured not to attach personal data), and website and product usage analytics to Umami and Google Analytics. All of them are listed under Subprocessors below. If we add another subprocessor, we will list it there and notify customers before it begins processing your data, bound by equivalent data-protection obligations.

Infrastructure security

Because Ampliflare is built natively on Cloudflare, the physical, environmental, and network perimeter controls behind it are Cloudflare's, on a network certified SOC 2 Type II and ISO 27001.

• Data in transit: all network traffic to and from the platform is encrypted with TLS.
• Data at rest: Cloudflare's managed storage encrypts data at rest, and sensitive API credentials carry an additional layer of application-level encryption.
• State rollback: before any destructive operation, the platform captures an isolated snapshot of the targeted configuration, so the change can be restored in one step.

Operational security

Every change Ampliflare makes on your behalf is written to a timestamped audit log, and access to production is limited.

• Audit trail: every toggle, edit, and block is recorded with a timestamp so you can see what changed and when.
• Production access: restricted to the team members who need it, protected by MFA, and reviewed periodically.
• Token scope: Ampliflare can only act within the scope of the token you provide. It cannot reach zones or resources you didn't grant.
• Revocation: revoking the token in Cloudflare immediately cuts off the service's access.

Secure development

Every code change goes through a pull request that must pass automated lint, type-check, and dependency vulnerability scanning across the codebase before it can merge or deploy. Deploys are cut from release tags rather than ad-hoc pushes, and changes run in a staging environment ahead of production. Application secrets, including the credential encryption key, are stored as Worker secrets and are never committed to the codebase.

Product security

Destructive actions are gated behind a snapshot step, and the changes you schedule are yours to review before they run. You can also use a separate token per feature to contain the blast radius of any single token, so a read-only D1 viewer never gains the ability to edit your DNS.

Availability

Ampliflare sits on top of your Cloudflare account; it does not sit between you and Cloudflare. If Ampliflare is unavailable, your Cloudflare resources keep running and you can manage them directly in the Cloudflare dashboard. Scheduled jobs resume when the service is back.

Incident response

If a security breach affects your data, we will notify affected customers within 72 hours of becoming aware of it, with what we know at the time and what we are doing about it. If you suspect an issue, report it using the vulnerability address below.

Data retention and deletion

We keep audit logs and rollback snapshots for 12 months, then remove them. Account data is kept while your account is active. To delete your account, email privacy@ampliflare.com; we remove your account data and stored credentials within 30 days of the request. You can revoke your Cloudflare token yourself at any time, which immediately stops any further access.

Cookies and analytics

For sign-in we use a first-party httpOnly session cookie, plus a small cookie that remembers your sidebar state. For product analytics we use two services, listed under Subprocessors: Umami, which is cookieless, and Google Analytics, which sets its own cookies (such as _ga) to measure usage. We use these to understand how the product is used, not for advertising. You can block analytics cookies in your browser or with a content blocker.

Subprocessors

Ampliflare uses these subprocessors:

• Cloudflare: hosting, compute, storage (D1 and R2), email delivery, and the network the service runs on.
• Sentry: error and performance monitoring for the application, configured to exclude personal data from events.
• Umami: cookieless website and product usage analytics.
• Google Analytics: website and product usage analytics; sets cookies in your browser.

Authentication is handled in the app, so there is no third-party authentication or email provider. If we add a subprocessor, we will update this page and notify customers before it begins processing your data, and it will be bound by equivalent data-protection obligations.

Reporting a vulnerability

If you find a security issue, please report it to privacy@ampliflare.com rather than disclosing it publicly. We'll acknowledge your report and keep you updated as we investigate.

Requesting documents

If you need a data processing agreement (DPA) or a completed security questionnaire for your review, email privacy@ampliflare.com and we'll work with you on it.