Skip to main content

Our Security Promise

ULPI.io treats your documentation like the sensitive intellectual property it is. We implement multiple layers of security to ensure:
  • ✅ Your docs are never visible to other tenants
  • ✅ API keys are encrypted and securely stored
  • ✅ All communication is encrypted in transit
  • ✅ Data is encrypted at rest
  • ✅ You can delete your data at any time

Tenant Isolation

What is a Tenant?

A tenant is your organization’s isolated environment in ULPI. When you sign up, we create a tenant that contains:
  • Your repositories
  • Your documentation
  • Your API keys
  • Your team members
  • Your usage data
Think of it as your own private instance within ULPI.

How Isolation Works

1

Separate Collections

Each tenant gets a dedicated Typesense collection. Your documentation is physically separated from other users’ data.
2

Database Filtering

Every database query automatically includes your tenant ID. It’s impossible to accidentally query another tenant’s data.
3

API Key Scoping

API keys are tied to exactly one tenant. A key can only access that tenant’s documentation - no exceptions.
4

Application-Level Checks

Our code validates tenant ownership at multiple layers, not just at the API boundary.

Technical Implementation

// Every search query includes tenant ID
$results = $searchService->search(
    tenant: $authenticatedTenant,  // ← Enforced by middleware
    query: $query
);

// Typesense collection is tenant-specific
$collection = "tenant_{$tenant->id}_documents";

// Database models auto-scope by tenant
Repository::query()
    ->where('tenant_id', $tenant->id)  // ← Added automatically
    ->get();
For Technical Users: We use Laravel’s Global Scopes to automatically filter all queries by tenant ID. This prevents accidental cross-tenant access even if we write buggy code.

API Key Security

How Keys Are Stored

  1. Generation: Keys are generated using cryptographically secure random bytes
  2. Hashing: Full key is hashed with bcrypt before storage
  3. Storage: Only the hash is stored, never the plaintext key
  4. Display: Full key is shown once during creation, then never again
Your API key: ulpi_live_abc123def456...     (shown once)
Stored hash:  $2y$10$randomhash...          (stored in database)

Key Validation

When you use an API key:
1

Extract Key

ULPI extracts the Bearer token from your Authorization header
2

Find Token

We look up the token by its prefix for performance
3

Verify

The key is verified against the stored hash using bcrypt
4

Check Validity

We verify the key hasn’t expired, been revoked, or exceeded rate limits
5

Load Tenant

The key’s associated tenant is loaded and attached to the request

Key Scopes

Scopes limit what an API key can do:
ScopePermissions
mcp:searchSearch documentation
mcp:get_docRetrieve full documents
mcp:list_reposList repositories
repo:readRead repository metadata
repo:writeModify repository settings
Principle of Least Privilege: Only grant scopes that are absolutely necessary.
For MCP clients (Claude Desktop, VSCode), only these scopes are needed:
  • mcp:search
  • mcp:get_doc
  • mcp:list_repos

Data Encryption

In Transit

All communication with ULPI is encrypted:
  • HTTPS/TLS 1.3 for all API endpoints
  • Strong cipher suites only (no weak encryption)
  • HSTS headers to prevent downgrade attacks
  • Certificate pinning for mobile apps (coming soon)

At Rest

Your data is encrypted when stored:
  • Database: AES-256 encryption for sensitive fields
  • File storage: S3 server-side encryption
  • Backups: Encrypted before upload
  • Logs: Sanitized to remove sensitive data

Authentication

OAuth 2.0

When you sign up with Google or GitHub:
  • We never see your password
  • We only request minimal permissions
  • You can revoke access anytime
  • OAuth tokens are encrypted in our database

Sanctum Sessions

Frontend API authentication uses Laravel Sanctum:
  • HTTP-only cookies (safe from XSS)
  • CSRF protection on all mutations
  • Session expiration after inactivity
  • Device-specific tokens

Rate Limiting

To protect against abuse, ULPI enforces rate limits:
TierRate LimitBurst
Free10 req/min20 req
Pro100 req/min200 req
EnterpriseCustomCustom
Rate limits are per API key, not per user, so teams can share keys safely.

Audit Logging

Every MCP request is logged: 
MCP Request Log {
  tenant_id: 123
  api_key_id: 456
  tool_name: "search_documentation"
  request_params: { "query": "auth" }
  response_code: 200
  tokens_used: 450
  timestamp: 2025-01-18T10:30:00Z
}
You can review logs in the ULPI dashboard to:
  • Monitor API key usage
  • Detect suspicious activity
  • Debug integration issues
  • Track token consumption

Data Privacy

What We Collect

We do collect:
  • Documentation content (to index and search)
  • Repository metadata (names, URLs, branches)
  • Usage statistics (search queries, API calls)
  • Account information (email, name from OAuth)
We never collect:
  • Passwords (we use OAuth only)
  • Credit card numbers (handled by Stripe)
  • Private keys or credentials from your repos
  • Personal data from your documentation

Data Retention

Data TypeRetention
DocumentationUntil you delete the repository
API keysUntil you revoke them
Usage logs90 days
Account dataUntil you delete your account
Backups30 days

Data Deletion

You own your data and can delete it anytime:
1

Delete Repositories

Go to Repositories → Remove to stop indexing and delete docs
2

Revoke API Keys

Go to API Keys → Revoke All to invalidate all keys
3

Delete Account

Go to Settings → Delete Account to remove all data
Account deletion is permanent and immediate. All data is deleted within 24 hours and cannot be recovered.

Compliance

ULPI.io is committed to regulatory compliance:

GDPR Compliant

Full compliance with EU data protection regulations

CCPA Compliant

California Consumer Privacy Act compliance

SOC 2 Type II

In progress - Expected Q2 2025

ISO 27001

In progress - Expected Q3 2025

GDPR Rights

Under GDPR, you have the right to:
  • Access your data (export from dashboard)
  • Rectify incorrect data (edit in dashboard)
  • Erase your data (delete account)
  • Port your data (API export available)
  • Object to processing (opt-out of analytics)
Email privacy@ulpi.io to exercise these rights.

Security Best Practices

For Users

  • Never commit keys to Git
  • Don’t share keys in Slack/Discord
  • Use environment variables
  • Rotate keys every 90 days
  • Use separate keys per environment
  • Always choose “Restricted” token type
  • Only enable required scopes
  • Set expiration dates
  • Review key usage regularly
  • Check “Last Used” timestamps
  • Review usage logs for anomalies
  • Set up billing alerts
  • Revoke unused keys
  • Use strong OAuth password
  • Enable 2FA on GitHub/Google
  • Review authorized applications
  • Use unique email per service

For Organizations

  • Create separate tenants per team
  • Use role-based access (coming soon)
  • Implement key rotation policy
  • Audit key access quarterly
  • Whitelist ULPI IPs if possible
  • Use VPN for sensitive work
  • Monitor network traffic
  • Implement DLP policies
  • Don’t commit secrets to docs
  • Use .ulpiignore for sensitive files
  • Review indexed content regularly
  • Redact before indexing

Vulnerability Disclosure

Found a security issue? We appreciate responsible disclosure.

Reporting Process

  1. Email security@ulpi.io with details
  2. Do not publicly disclose until we’ve patched
  3. Include steps to reproduce
  4. Wait for our response (within 48 hours)

Bounty Program

We offer rewards for valid security vulnerabilities:
  • Critical: 500500-2,000
  • High: 250250-500
  • Medium: 100100-250
  • Low: 5050-100
See ulpi.io/security for full policy.

Infrastructure Security

Cloud Providers

ULPI uses enterprise-grade infrastructure:
  • Primary: AWS (us-east-1, eu-west-1)
  • Database: AWS RDS with encryption
  • Search: Typesense Cloud with isolation
  • CDN: CloudFlare with DDoS protection

Network Security

  • DDoS mitigation via CloudFlare
  • Web Application Firewall (WAF)
  • IP-based rate limiting
  • Automated threat detection

Operational Security

  • 24/7 monitoring with PagerDuty
  • Automated security patching
  • Regular penetration testing
  • Incident response plan

Questions?

Last updated: January 2025