Security

Infrastructure data is sensitive. Here’s exactly how Layer8 Systems protects yours.

End-to-End Encryption

NoteTakr encrypts all note and device config content in your browser with AES-256-GCM before it leaves your device. We derive a unique per-user key using HKDF-SHA-256. The server stores only ciphertext — we cannot read your notes.

Zero-Trust Authentication

Authentication is handled by Clerk with short-lived JWTs. Every API request is validated server-side. Organization membership and roles are verified on every query and mutation — there is no trust boundary within the backend.

Strict Data Isolation

All data queries are scoped to the authenticated user ID. Cross-user access requires explicit sharing with a specific permission level. There is no ambient org-wide access to maps, assets, or notes.

Hardened Transport

HTTPS enforced with HSTS (2-year max-age, includeSubDomains). Content-Security-Policy blocks inline scripts and restricts connections to known origins. X-Frame-Options, X-Content-Type-Options, and Permissions-Policy headers applied globally.

Technical Details

Encryption algorithmAES-256-GCM (Web Crypto API)

Key derivationHKDF-SHA-256, per-user salt, info='notetakr-v1'

IV size12 bytes (random, per encryption)

Auth tag128-bit GCM authentication tag

Auth providerClerk — short-lived JWTs, PKCE OAuth flows

Webhook verificationSvix HMAC-SHA256 with replay attack protection (5-minute window)

TransportTLS 1.3, HSTS preload, wss:// WebSocket

Rate limitingPer-user and per-IP token-bucket, 1-minute windows

Reporting a Vulnerability

If you discover a security issue, please report it responsibly via email before disclosing it publicly. We aim to acknowledge all reports within 48 hours.

security@layer8systems.ca

See our full SECURITY.md for scope, timelines, and architecture details.