Skip to content

Security

How ChainGraph protects your data and maintains platform integrity.

Authentication

  • Firebase Authentication — industry-standard auth with email/password and Google SSO
  • RS256 JWT sessions — cryptographically signed session tokens with configurable expiry
  • HTTP-only cookies — session tokens stored in secure, HTTP-only cookies (not accessible via JavaScript)
  • CSRF protection — SameSite cookie policy and origin validation

Authorization & tenant isolation

ChainGraph is a multi-tenant platform. Every database query is scoped to the authenticated user's tenant. Tenant isolation is enforced at the ORM level — it is not possible to access another tenant's data through the API.

  • Every PostgreSQL query includes a tenant_id filter
  • Investigations, monitors, labels, and findings are tenant-scoped
  • Shared investigations use a separate read-only pathway with no tenant context

Data protection

  • Encryption in transit — all connections use TLS 1.2+ (enforced by Cloudflare and Caddy)
  • Encryption at rest — server disks use full-disk encryption
  • No private keys — ChainGraph only indexes public blockchain data; no private keys or wallet credentials are ever stored
  • Minimal PII — only email address and display name are stored for user accounts

Query safety

User-submitted Cypher and SQL queries are executed in a sandboxed, read-only context:

  • ClickHouse queries run with readonly=1
  • Cypher queries are parsed to block write operations (CREATE, DELETE, SET, MERGE)
  • SQL queries are validated to block write operations (INSERT, UPDATE, DELETE, DROP, etc.)
  • Dangerous functions (file I/O, network access) are blocked
  • All queries have a 30-second timeout
  • Results are capped at 10,000 rows

Infrastructure

  • Hosted in Germany — dedicated Hetzner server (EU jurisdiction, GDPR-compliant)
  • Cloudflare CDN — DDoS protection and edge caching
  • UFW firewall — only ports 22 (SSH), 80, and 443 are open
  • fail2ban — automatic IP banning for brute-force attempts
  • No shared hosting — dedicated bare-metal server, not a shared cloud VM

Rate limiting

All API endpoints are rate-limited to prevent abuse. Anonymous endpoints use IP-based limits. Authenticated endpoints use per-user limits. Exceeding limits returns HTTP 429 with a Retry-After header.

Audit logging

All significant user actions are logged in an immutable audit trail:

  • Login / logout events
  • Investigation creation, modification, deletion
  • Query execution (Cypher and SQL)
  • Export and sharing actions
  • Admin actions (impersonation, configuration changes)

Responsible disclosure

If you discover a security vulnerability, please report it responsibly by emailing [email protected]. We respond to all reports within 48 hours and will work with you to understand and resolve the issue.

Compliance

  • GDPR — data deletion requests honored within 30 days
  • Data export — users can export all their data at any time
  • Cookie consent — only essential cookies are used; analytics require consent
Security — ChainGraph Docs