Skip to main content

Security

Last updated: May 2026

1. Introduction

Ledger takes security seriously. Your financial data is encrypted, isolated per tenant, and protected by defence-in-depth controls at every layer — from Cloudflare’s global edge network down to our application code.

We welcome responsible disclosure from security researchers. If you discover a vulnerability, please follow the process described in this document. We commit to acknowledging your report promptly and working with you toward a coordinated fix.

2. Security Practices

Infrastructure

Ledger runs on Cloudflare’s global network using serverless Workers — no persistent servers to compromise. Cloudflare provides built-in DDoS protection and holds SOC 2 Type II, ISO 27001, and ISO 27701 certifications.

Encryption

All data is encrypted in transit using TLS 1.2 or higher, enforced via HSTS. Data at rest is encrypted using Cloudflare’s storage-level encryption across D1, R2, KV, and Durable Objects.

Authentication

Passwords require a minimum of 12 characters, following NIST 800-63B guidelines. Accounts are locked after 5 failed login attempts with a 15-minute cooldown. Sessions use httpOnly, Secure, and SameSite=Lax cookies.

Tenant isolation

Ledger uses a multi-tenant architecture with strict entity-scoped data access. Each firm’s data lives in its own Durable Object; every database query is filtered by the authenticated user’s entity, preventing cross-tenant data leakage by design.

Audit trail

Every write operation is recorded in a hash-chained, append-only audit log. Each entry is linked to the previous entry’s hash, making the log tamper-evident. Audit logs are retained for 7 years.

Security headers

All responses include: Strict-Transport-Security, X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and a strict Referrer-Policy. CSRF protection validates the Origin header on all mutating requests.

3. Compliance

Ledger is actively working toward SOC 2 Type II and ISO 27001 certification. The technical controls described in this document — encryption, access controls, audit logging, and security headers — are already implemented and enforced in production. Certification has not yet been achieved.

Our infrastructure sub-processors (Cloudflare, Stripe, SendGrid) are all SOC 2 Type II certified. We maintain documented security policies, access review processes, and an incident response plan.

4. Vulnerability Disclosure Policy

This section describes our Vulnerability Disclosure Policy (VDP). It governs how security researchers may report vulnerabilities to us, what we commit to in response, and the safe-harbor protections we extend to good-faith researchers.

5. Scope

In scope

The following assets are in scope for vulnerability reports:

  • ledgerpro.ai web application and API
  • ledger.lk web application and API
  • Authentication and session management
  • tRPC API endpoints
  • Cloudflare Workers (application layer only — not Cloudflare’s infrastructure)

Out of scope

The following are explicitly out of scope:

  • Cloudflare’s own infrastructure — report these directly to Cloudflare’s disclosure program
  • Third-party services (Stripe, SendGrid, Sentry, GitHub)
  • Denial of service attacks
  • Social engineering of Ledger staff
  • Physical security
  • Automated scanning without prior written permission

6. How to Report

Email your report to [email protected]. Please include:

  • A clear description of the vulnerability
  • Step-by-step instructions to reproduce the issue
  • The potential impact and affected asset(s)
  • Proof-of-concept code or screenshots (do not include live customer data)

You may encrypt your report using our PGP key (available on request). We accept reports in English, Sinhala, and Tamil.

7. Response SLA

We commit to the following response timelines:

  • Acknowledgement: within 5 business days of receiving your report.
  • Initial assessment: within 10 business days — we will confirm whether the issue is in scope and provide an initial severity assessment.
  • Critical vulnerabilities: patched within 30 days of confirmed reproduction.

We will keep you informed of progress throughout the remediation process. If we need additional information to reproduce or assess the issue, we will contact you promptly.

8. Safe Harbor

We will not take legal action against security researchers who discover and responsibly disclose vulnerabilities, provided they:

  • Act in good faith and follow this disclosure policy
  • Avoid accessing, modifying, or exfiltrating customer data
  • Do not disrupt or degrade production services
  • Report the vulnerability to us before any public disclosure

We request a 90-day coordinated disclosure window before any public disclosure, to allow us time to develop and deploy a fix. If you need to disclose sooner for any reason, please discuss this with us first.

This safe-harbor commitment is made in good faith. It does not waive our right to take action against researchers who act outside these boundaries, access data beyond what is necessary to demonstrate the vulnerability, or engage in malicious activity.

9. Recognition

We maintain a Hall of Fame for security researchers who responsibly disclose valid vulnerabilities. If you consent to being named, we will credit you publicly when the vulnerability is resolved.

We do not currently offer monetary bounties. A formal bug bounty program is planned post-launch — eligible researchers who report now will be considered for retrospective awards when the program launches.

For general support inquiries, contact [email protected]. For privacy-related questions, contact [email protected].