Security

Security Overview

Comfrey is built with a security-minded approach and practical controls suitable for pre-launch operations.

What We Store

For beta signups, we store email, consent, optional source/use-case fields, user agent, and a hashed IP value. We do not store raw IP addresses in signup records.

Encryption in Transit

Traffic to the site and signup endpoint is served over HTTPS via Cloudflare.

Access Control Principles

Least-privilege access to infrastructure and data stores
Environment-specific secrets for sensitive values such as hash salts
Operational logging focused on reliability and abuse prevention

Abuse Prevention

Signup requests are protected by a honeypot check and best-effort rate limiting using short-lived counters.

For security questions, contact contact@comfrey.com.