Security & trust

Built by people who secure national infrastructure.

The engineers behind taleseal have spent their careers securing UK critical national infrastructure. On those systems a security failure is a national story, not a bug ticket. A tale is a record people cite, so it gets the same discipline: every control on this page is live in the running service, and you can check most of them from your own terminal.

live in production · checkable with curl · no asterisks

Don’t take our word for it

02The sealed record

Sealed means sealed. Deleted means deleted.

Immutability
No edits after sealing

There is no edit path: not in the API, not in the dashboard, not for us. A tale is worth citing because it cannot quietly change.

Retraction
Withdrawn, never rewritten

A publisher can retract a tale: its contents are destroyed at once and the address answers 410 Gone, permanently. The address is never reused, so a link can never start telling a different story.

Expiry
Expired tales are really gone

A tale published with an expiry is deleted from the database when it lapses. Not hidden, deleted. That is the difference between a privacy feature and a privacy claim.

03Accounts and keys

Credentials we could not leak if we tried.

API keys
Stored only as a one-way hash

A key is shown once, at the moment you mint it, then kept as a SHA-256 hash. We cannot recover it, display it again, or lose it in a database dump.

Passwords
Hashed with scrypt

Passwords are hashed with scrypt, a memory-hard algorithm built to make bulk cracking expensive. Sign-in is rate limited per address and globally.

Abuse
Rate limits on every surface

Publishing, viewing, sign-in and key minting are all rate limited. Dashboard actions are origin-checked, so another site cannot act as you.

04Infrastructure

A short list of hands your data passes through.

The service runs on Fly.io, and error logs never contain tale content. Failures are correlated by request id, never by body.

Transport
HTTPS, forced

All traffic is forced to HTTPS, with HSTS telling browsers never to try anything else.

Headers
Strict on every response

Every response (pages, API, assets) carries strict security headers. This page ships zero JavaScript, and its own policy forbids any.

Logs
Never the tale, only the id

Error logs never contain tale content: failures are correlated by request id, never by body.

Sub-processors, all three of them

  • Fly.ioApplication hosting on Fly.io’s global infrastructure.hosting
  • NeonPostgres database. Tales, accounts and key hashes live here.database
  • DopplerSecrets management. Credentials never live in code or config files.secrets

05Found a hole?

Tell us first, and a human will answer.

Report vulnerabilities by email, or read the machine-readable version at /.well-known/security.txt.

[email protected]
  • Every report is read by a person and answered.
  • Please give us a reasonable window to fix the problem before disclosing it.
  • Do not test against other people’s tales or accounts.