§ Security
Security you can read, not just take our word for.
STELE runs on Cloudflare's edge network with no third-party AI API in the data path, and an audit ledger that is append-only at the database layer. Here is exactly what that means — and a plain statement of what we have not yet certified.
Architecture
STELE runs entirely on Cloudflare’s developer platform: Workers for compute, R2 for object storage, D1 for the relational database and audit ledger, Vectorize for the semantic index, and Queues and Workflows for durable job orchestration. There is no separate cloud account or third-party host holding a second copy of your files — storage, compute, and the database sit inside the same network.
Document understanding runs on Workers AI — models hosted inside the same infrastructure that stores your documents. No third-party AI API sits in the data path: your content is not transmitted to an external inference provider to be classified, extracted, or summarized, and it is not used to train any model.
R2 is zero-egress object storage: there is no fee to read your own data back out, unlike hyperscaler storage classes that meter every byte leaving the region. That is a structural property of the architecture we built on, not a discount we chose to extend.
Data handling
Every job-scoped API route — status, extraction, contracts, categorization, relations, decisions, the original file, and delete — verifies that the caller owns the job, or holds the admin role, before it returns anything. That check runs inside the route handler on every request; it is not a UI-layer restriction a direct API call could bypass.
- Append-only audit ledger. Every ingestion, extraction, status transition, and human correction is written to an
audit_logstable in D1. The table is enforced append-only at the database layer — SQL triggers abort anyUPDATEorDELETEissued against it — so even a compromised application server can add to the record but cannot rewrite it. - GDPR-style delete.Deleting a document is a real hard delete: it removes the R2 object, the associated vector embeddings, and the database row, after confirming the caller owns the job. The delete itself is written to the ledger — by id and action only, never by content — so the audit trail survives even the record’s own removal.
Access control
- Session-based auth. Signed-in requests are authenticated by a server-verified session — either a first-party session cookie checked against the database, or a Cloudflare Access JWT for SSO-based deployments. There are no long-lived API keys embedded in client code.
- Password hashing.Passwords are hashed with PBKDF2-HMAC-SHA256 at 100,000 iterations — the ceiling Cloudflare Workers’ runtime allows for its built-in PBKDF2 — with a unique salt per user, and verified with a constant-time comparison.
- Rate limiting.Authentication and AI-driven endpoints are throttled at the network edge via Cloudflare’s rate-limiting bindings, not application-level counters a distributed caller could route around — including tighter limits on login attempts than on general API traffic.
Source availability
STELE ships under the Apache License 2.0. The repository is not publicly published yet — it’s a private codebase today, not an open-source project you can clone. If your security team wants to verify a specific claim on this page rather than take our word for it, email security@steledocs.comand we’ll arrange access to the relevant part of the source under NDA.
Compliance status
We have not obtained SOC 2, ISO 27001, HIPAA, FedRAMP, or any other third-party security certification, and none is scheduled for a specific date. We would rather state that plainly than lean on language that implies otherwise. In the meantime, the architecture, the source code, and your own workspace’s audit ledger are available for your security team to review directly. A signed Data Processing Addendum is available on request — see the DPA, alongside our privacy policy and terms of service.
Reporting a vulnerability
Found a problem? Email security@steledocs.com. We acknowledge within one business day.