Security

Last updated: 15 March 2026

OpenAttribution is open source infrastructure handling sensitive publisher telemetry. We take that seriously. This page describes how we protect data and how to report vulnerabilities.

Infrastructure

Hosting

  • Application servers run on Fly.io in EU regions
  • Database hosted on Neon (managed PostgreSQL) in AWS eu-west-2 (London)
  • All services communicate over TLS. No unencrypted connections.

Architecture

  • Three separate services: gateway (auth proxy), identity (accounts and domains), telemetry (event ingestion and querying)
  • The gateway validates every request before forwarding to downstream services. Downstream services are not directly exposed to the internet.
  • Services are stateless. Session state lives in the database.

Authentication

  • Passwordless by default. We use magic links (email) and Google OAuth. No passwords to leak.
  • Tokens hashed before storage. Session tokens and API keys are SHA-256 hashed. We cannot read your raw tokens from the database.
  • Magic links are single-use. Tokens are deleted immediately after verification. They expire after 15 minutes.
  • OAuth uses PKCE. Google OAuth flow uses Proof Key for Code Exchange and state parameters for CSRF protection.
  • httpOnly cookies. Session cookies cannot be read by JavaScript. They are Secure (HTTPS only) and SameSite=Lax.
  • API keys support revocation and expiry. Keys can be revoked instantly and optionally set to expire on a date.

Data protection

  • Encryption in transit. All connections use TLS 1.2+.
  • Encryption at rest. Neon encrypts all data at rest using AES-256.
  • Organisation isolation. Every API request is scoped to an organisation via the gateway. Downstream services only see data for the authenticated organisation.
  • No PII by design. The telemetry specification discourages personal data. The user_context field accepts opaque identifiers only.
  • Credential separation. API keys, session tokens, and magic link tokens are stored hashed. Raw values exist only in transit.

Open source

Our specification, SDKs, and reference implementations are open source under Apache 2.0. The platform infrastructure code is also open source. You can audit it at github.com/openattribution-org.

Open source is a security feature, not a risk. More eyes on the code means more scrutiny of how we handle data.

What we do not do

  • We do not run analytics, tracking pixels, or third-party scripts on the website
  • We do not store passwords (authentication is passwordless)
  • We do not access your Google account beyond basic profile information during OAuth sign-in
  • We do not sell, share, or monetise your data

Responsible disclosure

If you find a security vulnerability in OpenAttribution, we would like to hear about it.

How to report

Email security@openattribution.org with a description of the vulnerability, steps to reproduce, and any relevant evidence.

What we commit to

  • Acknowledge your report within 48 hours
  • Provide an initial assessment within 5 working days
  • Keep you informed of our progress
  • Credit you publicly (unless you prefer not to be named)
  • Not pursue legal action against good-faith security researchers

What we ask

  • Do not access or modify other users' data
  • Do not disrupt the service (no DoS testing against production)
  • Give us reasonable time to fix the issue before public disclosure
  • Do not use automated scanners against production without coordination

Incident response

If we discover or are notified of a security incident affecting user data:

  • We will investigate immediately and contain the issue
  • We will notify affected users within 72 hours as required by UK GDPR
  • We will report to the Information Commissioner's Office where required
  • We will publish a post-incident report describing what happened, what data was affected, and what we did to prevent recurrence

Contact

Security issues: security@openattribution.org
General privacy questions: privacy@openattribution.org