Security Practices & Architecture

Last updated: March 22, 2026

Effective: March 22, 2026 · Last Updated: March 22, 2026

Bestia Technologies Inc. ("Bestia", "we") takes the security of your data seriously. This document describes the technical and organisational measures we employ to protect your data within WhatsDone.

1. Encryption

1.1 Data in transit

  • All data transmitted between your browser and our servers is encrypted using TLS 1.3 (minimum TLS 1.2).
  • All API calls to third-party services (Google APIs, Anthropic API) are encrypted using TLS.
  • We enforce HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.
  • Certificate pinning is implemented for critical API endpoints.

1.2 Data at rest

  • All database storage is encrypted using AES-256 encryption.
  • Database backups are encrypted using the same standard.
  • OAuth tokens are encrypted at rest using application-level encryption with regularly rotated keys.
  • Encryption keys are managed through secure key management practices with separation of duties.

2. Authentication and Access Control

2.1 User authentication

  • Google OAuth 2.0: We use Google's OAuth 2.0 implementation for authentication. We never store your Google password.
  • Session management: Sessions use secure, HttpOnly, SameSite cookies with cryptographically random session identifiers.
  • Token rotation: OAuth refresh tokens are rotated on each use. Expired tokens are immediately invalidated.
  • One-time passwords: For sensitive operations (e.g., account deletion, data export), we require additional verification via one-time passwords sent to your registered email.

2.2 Internal access control

  • Principle of least privilege: Team members have access only to the systems and data necessary for their role.
  • No standing access to customer data: No Bestia employee has persistent access to customer email content or personal data. Access requires explicit justification, approval, and is time-limited.
  • Audit logging: All access to production systems and customer data is logged with immutable audit trails.
  • Multi-factor authentication: All Bestia team members use MFA for access to production infrastructure, code repositories, and administrative tools.

3. Application Security

  • Input validation: All user inputs are validated and sanitised to prevent injection attacks (SQL injection, XSS, command injection).
  • CSRF protection: All state-changing operations require valid CSRF tokens.
  • Content Security Policy: We implement strict CSP headers to prevent XSS and data exfiltration.
  • Rate limiting: API endpoints are rate-limited to prevent brute-force attacks and abuse.
  • Dependency management: We regularly audit and update dependencies to address known vulnerabilities. Critical security patches are applied within 24 hours.
  • Secure development: Code changes require peer review and pass automated security scanning before deployment.

4. Infrastructure Security

  • Hosting: WhatsDone is hosted on Railway, which provides isolated container environments, automatic scaling, and built-in DDoS protection.
  • Network isolation: Production databases are not directly accessible from the public internet. All database connections go through application-level access controls.
  • Automated deployments: Deployments are automated from version-controlled code. No manual changes to production infrastructure.
  • Monitoring: We monitor infrastructure health, error rates, and anomalous activity patterns 24/7 with automated alerting.

5. Data Backup and Recovery

  • Automated backups: Production databases are backed up continuously with point-in-time recovery capability.
  • Backup encryption: All backups are encrypted using AES-256.
  • Backup retention: Backups are retained for 90 days, then permanently destroyed.
  • Recovery testing: We periodically test backup restoration to ensure data can be recovered in the event of an incident.
  • Geographic redundancy: Backups are stored in a separate geographic region from the primary database to protect against regional outages.

6. Incident Response

In the event of a security incident:

  • Detection: Automated monitoring and alerting systems are designed to detect anomalous activity, unauthorised access attempts, and data exfiltration indicators.
  • Containment: Upon detection, the incident response team will contain the incident within 1 hour by isolating affected systems.
  • Notification: Affected users will be notified within 72 hours of confirmed detection, as required by applicable data protection laws (and within 24 hours for UK GDPR compliance where feasible).
  • Remediation: Root cause analysis and remediation will be completed and a post-incident report will be published within 14 days.
  • Regulatory notification: We will notify relevant supervisory authorities (ICO, state attorneys general) as required by applicable law.

7. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities.

  • Report vulnerabilities to: security@bestia.ai
  • Response time: We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours.
  • No legal action: We will not pursue legal action against researchers who report vulnerabilities in good faith, follow responsible disclosure practices, and do not access or modify other users' data.
  • Credit: With your permission, we will credit you in our security acknowledgements.

8. Compliance

  • Google API Services User Data Policy: We comply with Google's Limited Use Requirements for handling Gmail data.
  • GDPR / UK GDPR: We implement appropriate technical and organisational measures as required by Articles 25 and 32.
  • CCPA/CPRA: We implement reasonable security procedures as required by California law.
  • SOC 2: We are working towards SOC 2 Type II certification and follow its trust service criteria as our security baseline.

9. Contact

Show the world how it’s done.

Join the waitlist. Be first in line when early access opens.

Join Waitlist