> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fanfare.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> Understanding Fanfare's security architecture and practices.

Fanfare is built with security as a core principle. This document outlines our security architecture and the measures we take to protect your data and your consumers.

## Security Architecture

### Infrastructure Security

<CardGroup cols={2}>
  <Card title="Cloud Infrastructure" icon="cloud">
    Hosted on AWS with SOC 2 compliant infrastructure
  </Card>

  <Card title="Network Security" icon="shield">
    All traffic encrypted in transit with TLS 1.3
  </Card>

  <Card title="Data Encryption" icon="lock">
    Data encrypted at rest using AES-256
  </Card>

  <Card title="Access Controls" icon="key">
    Role-based access control and audit logging
  </Card>
</CardGroup>

### Data Flow Security

<img src="https://mintcdn.com/fanfare/9lBxxAA0GJkGRgw-/images/resources/security-data-flow.webp?fit=max&auto=format&n=9lBxxAA0GJkGRgw-&q=85&s=94d886f5ab1ac480029878fc2abb7a4f" alt="Security data flow diagram showing encrypted transport from consumer devices through Fanfare to customer systems." width="1774" height="887" data-path="images/resources/security-data-flow.webp" />

## Authentication & Authorization

### API Authentication

Fanfare uses a multi-layer authentication model:

| Key Type                | Usage            | Scope                |
| ----------------------- | ---------------- | -------------------- |
| Publishable Key (`pk_`) | Client-side SDK  | Read + limited write |
| Secret Key (`sk_`)      | Server-side API  | Full access          |
| Consumer Token          | Consumer session | User-specific access |

### Key Security

* **Publishable keys** are safe to include in client-side code
* **Secret keys** must never be exposed to clients
* All keys are organization-scoped and can be rotated

```typescript theme={null}
// Safe: Publishable key in client code
const client = new FanfareClient({
  publishableKey: "pk_live_...", // OK to include
});

// NEVER: Secret key in client code
// const response = await fetch(url, {
//   headers: { Authorization: "Bearer sk_live_..." } // DANGER!
// });
```

### Session Security

Consumer sessions include multiple security layers:

* **JWT tokens** with short expiration
* **Session validation** against server state
* **Session integrity checks** handled by Fanfare
* **Automatic refresh** with secure token rotation

## Data Protection

### What We Store

Fanfare stores the data needed to operate experiences, authenticate consumers, and support customer reporting. Sensitive values are protected according to their data type and access path.

### What We Don't Store

* Full payment card numbers, which are handled by payment processors
* Consumer passwords for passwordless authentication flows
* Raw device specifications in public integration payloads

### Data Isolation

Each organization's data is isolated by organization context. Public APIs only return resources that belong to the authenticated organization or consumer session.

## Compliance

### Standards & Certifications

* **SOC 2 Type II**: Compliant infrastructure
* **GDPR**: Full compliance for EU users
* **PCI DSS**: Payment processing via certified partners
* **CCPA**: California privacy compliance

### Regular Audits

* Annual third-party security audits
* Quarterly penetration testing
* Continuous automated security scanning
* Bug bounty program for responsible disclosure

## Security Features

### Rate Limiting

API endpoints are rate-limited to help protect platform availability and fairness. When a request is limited, the API returns a standard rate-limit response with retry guidance where available.

### Request Signing

Webhook requests are signed for verification:

```typescript theme={null}
// Verify webhook authenticity
const signature = req.headers["x-fanfare-signature"];
const isValid = verifySignature(payload, signature, webhookSecret);
```

### Audit Logging

All sensitive operations are logged:

* Authentication events
* Configuration changes
* Data access patterns
* Administrative actions

Access audit logs via the dashboard or API.

## Incident Response

### Our Commitment

* **Detection**: 24/7 monitoring and alerting
* **Response**: Security team on-call
* **Communication**: Prompt notification of affected parties
* **Resolution**: Root cause analysis and remediation

### Reporting Security Issues

If you discover a security vulnerability:

1. **Do not** disclose publicly
2. Email [security@fanfare.io](mailto:security@fanfare.io) with details
3. We'll acknowledge within 24 hours
4. Work with us on coordinated disclosure

## Security Best Practices

For your integration, we recommend:

<AccordionGroup>
  <Accordion title="Protect your secret keys">
    * Store in environment variables
    * Never commit to source control
    * Rotate periodically
    * Use separate keys for test/production
  </Accordion>

  <Accordion title="Verify webhooks">
    * Always verify webhook signatures - Use HTTPS endpoints only - Implement idempotency - Validate payload structure
  </Accordion>

  <Accordion title="Secure your checkout">
    * Validate handoff tokens server-side - Set appropriate session timeouts - Use HTTPS everywhere - Implement CSRF
      protection
  </Accordion>

  <Accordion title="Monitor for anomalies">
    * Track authentication failures
    * Monitor rate limit hits
    * Alert on unusual patterns
    * Review audit logs regularly
  </Accordion>
</AccordionGroup>

## Related Resources

* [Authentication Best Practices](/resources/security/authentication) - Secure auth flows
* [Data Privacy](/resources/security/data-privacy) - GDPR and privacy
* [Bot Protection](/resources/security/bot-protection) - Fraud prevention
