Security & Secret Management

  1. Runtime/ Build Time Environment Variables: All API keys are managed by using runtime/build time environment variables which are inserted into code during Docker build. No environment variables are stored in code/Docker file as all configuration management files are in .gitignore.
  2. Production / Development Version Access: The machine hosting the production version is IP restricted and can only be accessed via SSH.
  3. Multi Environment Configuration: The development and production builds are totally separate with no shared variables to prevent cross-environment leaks. They are loaded as per the environment configured during build time.
  4. IP Based Access-Control: Only certain machines/IPs are allowed access to the database.
  5. No Secret Push to VCS: We use GitHub for version control and it is configured such that if any environment variable is pushed in plaintext code, an alert is immediately issued to us via email.
  6. RBAC: Only select users have access to viewing/editing the environment variables.
  7. Encryption of Keys: All delicate API keys requiring higher security (e.g., payment gateway keys, their secrets) are encrypted using AES-256 and decrypted only when used in an API call.
  8. Encrypted File Access: Any certificate, private key, or similar file required for access to a 3rd Party API is stored on our private S3 bucket and cannot be accessed without the bucket's key + secret.
  9. Backups: All other password backups/secret keys backups/API keys backups are done in a secure storage (BitWarden) which also has RBAC. All databases are backed up daily.
  10. Hosting Provider: We use Digital Ocean for all our hosting needs which is SOC2, SOC3, CSA, GDPR, and CBPR compliant.

© CredBrick. All rights reserved by Nullpalette Private Limited.