Seekmodo
Log inStart free trial

Security

Last updated: 2026-05-26

Seekmodo is built around per-tenant isolation, signed requests, and minimal data retention. Below is the live list of controls.

Network & transport

  • TLS 1.3 enforced on all customer-facing endpoints (seekmodo.com, mcp.seekmodo.com).
  • HSTS with max-age=31536000; includeSubDomains; preload.
  • Origin firewall: Typesense and PostgreSQL ports are bound to private interfaces only.
  • Cloudflare in front of all customer-facing names; WAF managed rules on for OWASP Top 10.

Authentication

  • Account passwords stored as bcrypt cost 12. We require ≥10 characters and one digit.
  • Optional TOTP MFA with 10 single-use recovery codes.
  • Session cookies are HttpOnly, SameSite=Lax, Secure, signed with a rotated AUTH_SECRET.
  • API requests carry an HMAC envelope (SHA-256 over tenant\\nts\\nnonce\\nsha256(body)) with a 5-minute replay window.
  • Public key set served at /.well-known/jwks.json for plugin pairing.

Data handling

  • Tenant data is logically scoped at every layer (Postgres, Typesense, telemetry).
  • Backups encrypted with AES-256, retained 30 days.
  • On account cancellation, all customer data is deleted within 30 days.

Operational

  • Per-tenant rate limits (default: 600 req/min on Growth, 120 on Starter, 30 on Hobby).
  • Audit log of every authenticated request (latency, status, tool, tenant) retained 30 days.
  • Production deployments are pinned to a git SHA; the/v1/health endpoint reports it.

Disclosure

Report a vulnerability to [email protected]. We acknowledge within 24 hours and aim to resolve high-severity issues within 7 days. See /.well-known/security.txt for the formal contact record.