Security

EU Data Hosting

Servers located in Europe

Encrypted in Transit

TLS 1.3 encryption

Encryption Support

TLS in transit, configurable at-rest

Privacy-First

No third-party tracking

Our Security Commitment

At LynxPrompt, security is not an afterthought—it's foundational to how we build and operate our platform. We implement industry-standard security measures to protect your data, your blueprints, and your privacy.

Infrastructure Security

European Union Data Residency

All primary data is stored on servers physically located in the European Union. This ensures your data benefits from strong EU data protection laws and never leaves European jurisdiction without appropriate safeguards.

Network Security

Our infrastructure is protected by Cloudflare's enterprise-grade DDoS protection and Web Application Firewall (WAF). Rate limiting is implemented at both edge and application levels to prevent abuse.

Internal Network Isolation

Database servers are not exposed to the public internet. All internal services communicate over encrypted private networks with strict access controls.

Self-Hosting Note

Self-hosted instances inherit these security practices. Operators are responsible for their own infrastructure security, network configuration, and TLS certificates.

Data Encryption

Encryption in Transit

All data transmitted between your browser and LynxPrompt is encrypted using TLS 1.3, the latest and most secure version of the Transport Layer Security protocol. We enforce HTTPS on all connections and use HSTS (HTTP Strict Transport Security) headers.

Encryption at Rest

Self-hosted instances can be configured with database-level encryption at rest (e.g., PostgreSQL TDE or full-disk encryption). Sensitive fields like API tokens and credentials use server-side hashing with modern algorithms.

Secure Headers

We implement comprehensive security headers including Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy to protect against common web vulnerabilities like XSS and clickjacking.

Authentication Security

OAuth 2.0 Authentication

We use secure OAuth 2.0 authentication via trusted providers (GitHub, Google). We never see or store your passwords from these providers—authentication is handled entirely by them using industry-standard protocols.

Passkeys (WebAuthn)

LynxPrompt supports passkeys—the most secure form of authentication available. Passkeys are phishing-resistant, use biometric verification, and eliminate the risks associated with passwords entirely.

Magic Links

Our passwordless email authentication uses secure, time-limited magic links. Links expire after a short period and can only be used once, reducing the attack window for potential interception.

Session Security

Sessions are protected with secure, HTTP-only cookies that cannot be accessed by JavaScript. CSRF tokens protect against cross-site request forgery attacks. Sessions automatically expire after periods of inactivity.

Payment Security

Stripe Payment Processing

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor—the highest level of certification in the payment industry. We never see, store, or have access to your full credit card numbers. Payment data goes directly to Stripe's secure servers.

Privacy-First Infrastructure

Self-Hosted Analytics (Umami)

We use Umami, a privacy-focused analytics solution that we self-host on our own EU servers. It's completely cookieless, doesn't track individuals across sessions, and no data is shared with third parties. You cannot be personally identified through our analytics.

No Third-Party Tracking

LynxPrompt does not use Google Analytics, Facebook Pixel, or any other third-party tracking services. We don't sell your data, and we don't share it with advertisers. Your usage data stays with us.

Operational Security

Access Controls

Administrative access to production systems is restricted to authorized personnel only. Access is protected by VPN and SSH key authentication. We follow the principle of least privilege—team members only have access to the systems they need.

Regular Backups

Database backups are performed regularly and stored securely. Backup procedures are tested to ensure data can be recovered in case of incidents. Backups are retained according to our data retention policy.

Dependency Management

Dependencies are continuously monitored and updated via automated tooling (Renovate). Our build pipeline includes security scanning to identify and address potential vulnerabilities before deployment.

Compliance

GDPR Compliance

LynxPrompt is fully compliant with the General Data Protection Regulation (GDPR). We provide data access, rectification, erasure, and portability rights. Data deletion requests are processed within 30 days.

Data Processing Agreements

For business customers who need formal data processing documentation, we provide a Data Processing Agreement (DPA) that meets GDPR requirements.

Subprocessor Transparency

We maintain a complete list of third-party services that process data on our behalf in our Privacy Policy. Each subprocessor is vetted for GDPR compliance and appropriate data protection measures.

Blueprint Security

Secret Detection

Blueprints can inadvertently contain API keys, tokens, or passwords. LynxPrompt scans blueprint content for common secret patterns—such as AWS keys, bearer tokens, and connection strings—and warns you before saving. This helps prevent accidental exposure, especially when sharing blueprints publicly or across a federation.

Template Variables

Instead of hardcoding secrets in your blueprints, use [[VARIABLE_NAME]] placeholders. For example, use [[API_KEY]] instead of pasting an actual API key. Variables are resolved at execution time and never stored in the blueprint itself.

External Secret Managers

For production workflows, we recommend integrating with a dedicated secret manager to supply values for blueprint variables. Compatible solutions include HashiCorp Vault, Doppler, 1Password CLI, Infisical, and SOPS. This keeps secrets out of LynxPrompt entirely and centralizes access control and rotation.

Federation Security

Independent Instances

Each instance in the LynxPrompt federation is independently operated. Operators maintain full control over their data, users, and configuration. No central authority can access or modify data on a federated instance.

Read-Only Blueprint Browsing

Blueprint discovery across federated instances is strictly read-only. Remote instances can list and view public blueprints but cannot modify, delete, or execute them. Write operations are always local to the instance that owns the blueprint.

No Credential Sharing

Credentials, secrets, and user sessions are never shared between federated instances. Authentication is local to each instance, and inter-instance communication carries no user tokens or private data.

Domain Verification

The federation protocol uses domain verification via a .well-known/lynxprompt.json endpoint. Instances must serve a valid manifest at this path to be recognized as legitimate federation participants, preventing impersonation and man-in-the-middle attacks.

Open Source Security

GPL v3 License

LynxPrompt is open-source software released under the GNU General Public License v3. This ensures that the source code remains freely available and that any derivative works must also be open-source, fostering transparency and trust.

Publicly Auditable Code

The complete source code is available at github.com/GeiserX/LynxPrompt. Anyone can review the codebase, verify security claims, and inspect how data is handled. There are no hidden components or proprietary black boxes.

Community-Driven Improvements

Security benefits from many eyes. Our open-source model allows the community to identify vulnerabilities, suggest fixes, and contribute security improvements. We welcome responsible disclosure and actively review community contributions for security implications.

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly to security@lynxprompt.com. We take all reports seriously and will investigate promptly. Please do not disclose vulnerabilities publicly until we've had a chance to address them.

Questions?

If you have questions about our security practices or need additional information for your compliance requirements, please contact us at security@lynxprompt.com.