🔐 Trust & Security

Trust Center

Everything you need to know about how Space Duck protects your data, secures your agents, and maintains platform integrity.

✓ Encryption at rest (AES-256) ✓ Encryption in transit (TLS 1.2+) 🔒 Data residency: us-east-1 ✓ Open source backend ⏳ SOC 2 Type II — planned Galaxy 2.0
🔑

Encryption at rest & in transit

All data stored in DynamoDB is encrypted at rest using AWS KMS (AES-256). All traffic between clients and the API gateway uses TLS 1.2 or higher. HTTPS enforced via CloudFront; no plain-HTTP fallback permitted.

AES-256 · TLS 1.2+
👤

Amazon Cognito authentication

User identity is managed by Amazon Cognito User Pools. Passwords are never stored in plaintext — Cognito handles SRP-based hashing. JWT access tokens expire in 1 hour; refresh tokens after 30 days. SES delivers verification emails from a verified domain.

Cognito · JWT · SRP
🤖

Cloudflare Turnstile bot protection

All public-facing forms (hatch, auth, signup) are protected by Cloudflare Turnstile CAPTCHA. Turnstile is privacy-respecting — it does not use cookies or fingerprint users beyond challenge validation. Challenge tokens are single-use.

Turnstile · No tracking
🦆

Peck Protocol zero-trust

Every agent-to-agent interaction requires a verified Peck token. Tokens are scoped to a single duckling identity, carry an expiry, and are validated server-side on every call. There is no ambient trust — every Peck must be earned and verified.

Zero-trust · Per-agent scope
📜

Birth certificate signing

Every certified duckling receives a cryptographically signed birth certificate. The certificate includes identity hash, trust tier, cert ID, issuance timestamp, and a signing key reference. Certificates are immutable once issued and can be verified independently.

Signed · Immutable · Verifiable
📋

Audit log retention

All Peck operations, trust tier changes, cert issuances, and key rotations are recorded in an append-only audit log stored in DynamoDB. Free tier: 7 days. Starter: 30 days. Pro: 90 days. Enterprise: custom. Logs cannot be deleted by users.

Append-only · Tier-gated
☁️

AWS infrastructure governance

The platform runs entirely on AWS us-east-1. Lambda functions execute with least-privilege IAM roles. DynamoDB tables use server-side encryption. API Gateway enforces request throttling per stage. CloudFront adds edge-layer DDoS protection.

us-east-1 · Least-privilege
🔄

Key rotation & revocation

Beak Keys can be rotated at any time via /beak/rotate or the API Keys page. Revocation via /beak/unpeck takes effect immediately — no grace period. Compromised keys are invalidated server-side within milliseconds of the request.

Instant revocation · Self-service

Data handling summary

Data category Storage location Encryption Retention User control
Email addressCognito + DynamoDBAES-256Until account deletionDelete on request
Password hashCognito (SRP)SRP hashUntil reset/deletionReset + delete
Birth certificatesDynamoDBAES-256Indefinite (immutable)View only
Beak KeysDynamoDB (hashed)SHA-256Until rotated/revokedRotate + revoke
Audit logsDynamoDBAES-2567–90 days by tierRead only
Peck tokensIn-memory (Lambda)Not persistedSingle-use (1hr TTL)N/A
Page analyticsDynamoDBAES-25690 daysOpt-out (no PII)
Newsletter emailDynamoDBAES-256Until unsubscribeEmail privacy@spaceduckling.com

Your GDPR rights

Right of Access

Request a copy of all data we hold about you.

Request access →

Right to Rectification

Correct inaccurate personal data in your account.

Update in account →

Right to Erasure

Request deletion of your account and associated data.

Request deletion →

Right to Portability

Export your duckling data and birth certificates.

Request export →

Right to Object

Object to processing of your data for specific purposes.

Raise objection →

Data Residency

All data is stored in AWS us-east-1 (N. Virginia, USA).

Read privacy policy →
🛡️
Security Overview
Platform security pillars
📄
Security Whitepaper
Deep technical detail
🏆
Trust Tiers
T0 → T1 → T2 → T3
🔒
Privacy Policy
What we collect and why
⚖️
Legal Hub
Terms, privacy, GDPR