Security & Rate Limits

​

🔐 API Security Overview

​

🔑 Authentication & API Keys

​

API Key Security

• Store your API key securely and never expose it in client-side code
• Use environment variables or secure key management systems
• Rotate your API keys regularly for enhanced security
• API keys are tied to your team and inherit your team’s permissions

​

Best Practices

• Never log or print API keys in your application logs
• Use different API keys for different environments (test vs production)
• Monitor your API usage for unusual patterns
• Report any security concerns to security@closedloop.sh

​

🛡️ Data Protection

​

Encryption in Transit

• All API communications use HTTPS/TLS 1.3 encryption
• Webhook endpoints support HMAC signature verification
• API keys are transmitted securely over encrypted connections

​

Data Isolation

• Customer data is isolated per team with strict access controls
• No cross-team data access or sharing
• Data is processed securely and never stored longer than necessary

​

Data Retention

• Raw customer data is processed and then securely deleted
• Only AI-generated insights are retained for your team
• You can request data deletion at any time

​

🚦 Rate Limits & Abuse Prevention

​

Rate Limiting

• Free Plan: 100 requests/hour
• Pro Plan: 1,000 requests/hour
• Enterprise: 10,000 requests/hour

​

Rate Limit Headers

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640995200

​

Rate Limit Behavior

• Rate limits are applied per API key
• Exceeding limits returns HTTP 429 (Too Many Requests)
• Limits reset at the top of each hour
• Consider implementing exponential backoff for retries

​

🔒 Webhook Security

​

HMAC Verification

# Verify webhook signature
signature = hmac.new(
    webhook_secret.encode('utf-8'),
    request_body.encode('utf-8'),
    hashlib.sha256
).hexdigest()

if signature != request_headers['X-Webhook-Signature']:
    return 401  # Unauthorized

​

Webhook Best Practices

• Always verify HMAC signatures
• Use HTTPS endpoints for webhook receivers
• Implement idempotency to handle duplicate webhooks
• Set appropriate timeouts for webhook processing

​

🚨 Incident Response

​

Security Monitoring

• Security monitoring and alerting
• Regular security assessments and updates

​

Incident Reporting

1. Email: security@closedloop.sh
2. Include: Detailed description, steps to reproduce, potential impact
3. Response: We’ll acknowledge within 24 hours and provide updates

​

🔧 Security Configuration

​

Environment Variables

# Secure API key storage
export CLOSEDLOOP_API_KEY="your-secure-api-key"

# Webhook secret for HMAC verification
export WEBHOOK_SECRET="your-webhook-secret"

​

Docker Security

# Use non-root user
RUN adduser --disabled-password --gecos '' appuser
USER appuser

# Copy only necessary files
COPY --chown=appuser:appuser . /app

​

Network Security

• Use VPN or private networks for sensitive integrations
• Implement proper firewall rules
• Monitor network traffic for anomalies

​

📞 Security Support

​

Contact Information

• Security Issues: security@closedloop.sh
• General Support: support@closedloop.sh
• Emergency: Available 24/7 for critical security issues