Security & Trust

How this site is secured

thedurham.nyc is a small, privately-gated workshop — but it is built the way a production system should be: identity verified at the network edge, authorization enforced in the application, everything encrypted in transit and at rest, and every change recorded.

● Last reviewed June 3, 2026

Edge-hardened

Served from Cloudflare’s global edge. No origin server to breach; DDoS and bot mitigation are always on.

Zero-trust access

The private lab takes two independent gates to enter — identity, then per-person permission.

Encrypted throughout

Modern TLS for every request; application data encrypted at rest on Cloudflare’s network.

Least-privilege keys

Every API key is an encrypted secret, scoped to the minimum it needs — never in source.

Fully audited

Who changed what, and when, is recorded for every action — and any change is one click to undo.

SOC 2 foundations

Built entirely on independently-audited, SOC 2 Type II-certified infrastructure.

01Access & authentication

Two independent gates protect everything private. This is defense in depth: a gap in one layer is still caught by the other.

The open internet

The landing page and this page are intentionally public. Everything under /lab/ is not.

↓

Layer 1 · Identity

Cloudflare Access (Zero Trust)

Before a private page is ever served, the visitor must prove they control an email address by entering a one-time PIN sent to it. There are no passwords to phish, reuse, or leak. Sessions are short-lived (24 hours).

↓

Layer 2 · Authorization

Per-person, per-prototype allowlist

A verified identity is not access. Application middleware checks an allowlist on every request — a visitor sees only the specific prototypes they have been explicitly granted, and nothing else. Administrative tools are restricted further still. The check fails closed: a misconfiguration denies access rather than exposing data.

↓

Protected

Your data — encrypted & audited

Reaches here only after both gates pass. Read-only by default; only an administrator can change anything.

02Infrastructure & network

The site runs on Cloudflare’s edge platform — the same network that fronts a large share of the public internet.

No origin server. Pages are static files and serverless functions running on Cloudflare’s edge. There is no always-on virtual machine, no open SSH port, and no database server exposed to the internet — so there is no classic origin to compromise.
TLS everywhere. All traffic is HTTPS over modern TLS, with certificates issued and auto-renewed by Cloudflare. Plain-HTTP requests are redirected to HTTPS.
DDoS protection. Cloudflare absorbs volumetric and application-layer denial-of-service attacks automatically, at network scale.
Edge firewall & bot mitigation. A web application firewall and bot-management run in front of every request.
Global, resilient delivery. Content is served from the nearest of Cloudflare’s data centers worldwide, with no single point of failure.

03Data protection

The guiding principle is to store as little as possible, and to encrypt what is stored.

Encrypted in transit. Every byte between your browser and the edge travels over TLS.
Encrypted at rest. Application state lives in Cloudflare’s managed database (D1) and vector store, which encrypt data at rest on Cloudflare’s infrastructure.
Data minimization. The only personal data the site retains is the email addresses used to gate access, plus a record of who made each change. There are no passwords stored, no payment data, and no tracking of the public landing page.
Tenant isolation. Each prototype owns its own data; access grants are scoped to a single prototype at a time, so a grant to one does not leak another.

04Secrets & key management

Credentials are treated as the crown jewels and handled accordingly.

Encrypted secrets, never in code. Every API key and token is stored as an encrypted environment secret on Cloudflare. None are committed to source control or shipped to the browser.
Least privilege. Tokens are scoped to the narrowest role and resource that works — for example, a read-only token for indexing is kept separate from a write token used by exactly one endpoint, and repository tokens are scoped to a single repository.
Short-lived & rotatable. Setup credentials expire automatically, and long-lived keys can be rotated without redeploying the application.
Server-side only. Calls to third-party APIs happen on the server (edge functions), so keys are never exposed to the client.

05Auditing & change history

Every meaningful action is attributable and reversible.

Attribution. Each state-changing request records the verified email of who made it, and when.
Reversibility. Changes are written to an append-only activity log that snapshots the prior value — so any change is one click from being reverted.
Provenance. Where information is ingested from a document, the source file and a content fingerprint are recorded alongside the change, so its origin can always be traced.

06AI features & data privacy

Some prototypes use AI to classify documents or answer questions over private notes. That comes with specific, deliberate guarantees.

No training on your data. The AI features call the Anthropic (Claude) and Voyage APIs under commercial terms — content sent to them is not used to train models.
Private content stays private. Indexed notes live in a private vector store and are only ever surfaced back to the authenticated owner who has access to them.
Rate-limited. AI endpoints carry usage caps to contain abuse and runaway cost.
Auditable. Each AI query is logged with the asker’s identity and the sources it cited.

07Compliance & certifications

To be precise: thedurham.nyc is a personal site and does not itself hold a SOC 2 certification. It is built entirely on infrastructure and service providers that maintain independently-audited SOC 2 Type II attestations (and, in most cases, ISO 27001 and more). In practice that means the controls protecting this site — physical security, change management, access control, incident response — are the same ones trusted by enterprises, validated by external auditors, not by self-assertion.

The providers this site depends on, and where to verify their current attestations:

Provider	Role here	Independent attestations
Cloudflare Hosting, CDN, Zero-Trust access, database, vector store	The platform the entire site runs on	SOC 2 Type II ISO 27001, ISO 27018, PCI DSS · trust hub
Anthropic Claude API — document & chat AI	Powers the AI assistant features	SOC 2 Type II Does not train on API data · trust center
Voyage AI Text embeddings (now part of MongoDB)	Turns notes into searchable vectors	See MongoDB trust center
GitHub Source code & private content repos	Stores the code and synced notes	SOC 1/2/3 · trust center
Microsoft Microsoft 365 calendar (opt-in per user)	Reads a connected user’s calendar, only if they connect it	SOC 1/2/3 ISO 27001, FedRAMP · trust center
GoDaddy Domain registrar & email (MX)	Domain registration and inbound email routing	See privacy & legal

Certifications are held and published by the named providers. Follow each link for current, authoritative attestations and, where offered, access to the underlying audit reports.

08Reporting a vulnerability

Good-faith security research is welcome. If you believe you have found a vulnerability, please report it privately first.

Email [email protected] with a clear description and steps to reproduce. You will get an acknowledgement, and credit if you would like it.

Please do not run automated scanners, brute-force, or any test that degrades service for others (no denial-of-service).
Do not access, modify, or exfiltrate data that is not your own — demonstrate impact with the minimum necessary.
Give a reasonable window to fix the issue before any public disclosure.

09About this site

thedurham.nyc is the personal workshop of Matt Durham — a private home for live dashboards, prototypes, and experiments. It is run by one person, for a small set of invited collaborators, with the security posture described above.

A fuller bio and background on Matt’s work is coming soon.