FastDOL

Security

FastDOL aggregates publicly available federal enforcement data. We take the security of our platform and our customers' data seriously. Here's how we protect it.

Data Classification

  • Public government data only. All employer compliance data is sourced from publicly available federal enforcement records (OSHA, WHD, MSHA, EPA, FMCSA, NLRB, OFLC, SAM.gov). No private or proprietary data is collected.
  • Minimal customer data. We store only your email address, hashed password, and API usage logs. We do not store search queries, employer names searched, or results viewed.
  • No PII in compliance data. Federal enforcement records contain employer/business names and addresses — not individual employee personal information.

Encryption

In Transit

TLS 1.2+ enforced on all connections. HSTS preload enabled with 2-year max-age. Modern cipher suites only.

At Rest

Database storage encrypted at the filesystem level. Backups encrypted before transfer.

Authentication & Access Control

  • Argon2id password hashing — OWASP 2024 recommended algorithm (not bcrypt). Configurable time/memory cost parameters.
  • RS256 JWT sessions — asymmetric signing with RSA-2048 keys. 8-hour token expiry. HttpOnly, Secure, SameSite=Lax cookies.
  • API key security — keys are SHA-256 hashed before storage. Raw keys shown once at creation, never retrievable after. Key rotation with 48-hour NIST grace period.
  • CSRF protection — double-submit cookie pattern with HMAC verification on all mutating dashboard endpoints.
  • Rate limiting — per-IP throttling on authentication endpoints. Per-key quota enforcement with advisory locks to prevent race conditions.

Infrastructure

  • Dedicated servers — not shared hosting. Separate API and pipeline servers with restricted network access.
  • Database security — PostgreSQL with scram-sha-256 authentication. Connection pooling via PgBouncer with query timeouts. Role-based access (API user has read-only access to analytics tables).
  • HTTP security headers — Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Permissions-Policy (camera, mic, geolocation disabled).
  • Automated backups — daily database backups with retention policy. Pipeline data checkpointed at each stage.

Application Security

  • SQL injection prevention — all database queries use parameterized statements via asyncpg. No string interpolation of user input in SQL.
  • Input validation — UUID format validation, email validation, state code whitelisting, ZIP code sanitization, password length constraints.
  • Dependency management — pinned dependency versions. No use of eval(), exec(), or dynamic code execution.
  • Error tracking — Sentry integration for real-time error monitoring. Structured JSON logging with request latency tracking.

Monitoring & Incident Response

  • Health monitoring — automated health checks every 5 minutes covering database connectivity, data freshness, and pipeline status.
  • Alerting — real-time alerts for API errors, failed email delivery, payment processing issues, and pipeline failures.
  • Audit logging — API key creation, rotation, and revocation events logged with timestamps and actor identity.

Compliance & Legal

  • OPEN Government Data Act — all data sourced under federal open data policy. Commercial use explicitly authorized. No restrictions on redistribution.
  • DOL API Terms — compliant with Department of Labor data usage terms. Required disclaimer displayed: data is not endorsed or certified by DOL.

Security Questions?

For security questionnaires, vendor assessments, or to report a vulnerability, contact us.

security@fastdol.com