Skip to main content
FastDOL

Security

Security & data handling.

FastDOL aggregates publicly available federal enforcement data. The platform itself is small but the security posture is taken seriously — here's the surface area.

Reference
Last updatedApril 2026
Vuln reportingsecurity@fastdol.com
ArchitectureDedicated host

Data classification

  • Public government data only. All employer compliance data is sourced from publicly available federal enforcement and program records (OSHA, WHD, MSHA, EPA, NLRB, FMCSA, OFLC, BLS, SAM.gov, CMS, SEC, CPSC, NHTSA) plus the UVA Corporate Prosecution Registry (academic). No private or proprietary data is collected.
  • Minimal customer data. Email address, hashed password, and API usage logs. Search queries and viewed-employer telemetry are not stored.
  • No PII in compliance data. Federal enforcement records contain employer / business names and addresses — not individual employee personal information.

Encryption

In transit: TLS 1.2+ enforced on all connections. HSTS preload enabled with a 2-year max-age. Modern cipher suites only.

At rest: database storage is encrypted at the filesystem level. Backups are encrypted before transfer to off-host storage.

Authentication & access control

  • Argon2id password hashing — OWASP 2024 recommended algorithm (not bcrypt). Configurable time / memory cost parameters.
  • RS256 JWT sessions — asymmetric signing with RSA-2048 keys. 8-hour token expiry. HttpOnly, Secure, SameSite=Lax cookies.
  • API key security — keys are SHA-256 hashed before storage. Raw keys are shown exactly once at creation, never retrievable after. Rotation includes a 48-hour NIST grace period for the old value.
  • CSRF protection — double-submit cookie pattern with HMAC verification on every mutating dashboard endpoint.
  • Rate limiting — per-IP throttling on authentication endpoints, per-key quota enforcement with PostgreSQL advisory locks to prevent race conditions.

Infrastructure

  • Dedicated servers. Not shared hosting. Separate API and pipeline hosts with restricted network access between them.
  • Database security. PostgreSQL with scram-sha-256 authentication. Connection pooling via PgBouncer with statement timeouts. Role-based access (the API role has read-only access to analytics tables).
  • HTTP security headers. Content-Security-Policy with nonces, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy disabling camera, microphone, and geolocation.
  • Automated backups. Daily database backups with 30-day retention. Pipeline data is checkpointed at each bronze / silver / gold stage so a single failed sync can be re-run without rebuilding the world.

Application security

  • SQL injection prevention. All database queries use parameterized statements via asyncpg. No string interpolation of user input into SQL anywhere in the codebase.
  • Input validation. UUID format validation, RFC-5322 email validation, state code whitelisting, ZIP sanitization, password length constraints, NAICS prefix validation, and integer bounds-checking on every numeric query parameter.
  • Dependency hygiene. Pinned dependency versions. No use ofeval(), exec(), or dynamic code execution. Quarterly security-update sweeps.
  • Error tracking. Sentry integration for real-time error monitoring with PII-stripped breadcrumbs. Structured JSON logging with request latency tracking.

Monitoring & incident response

  • Health monitoring. Automated health checks every 5 minutes covering database connectivity, data freshness, and pipeline status.
  • Alerting. Real-time alerts for API errors, failed email delivery, and pipeline failures.
  • Audit logging. API key creation, rotation, and revocation events are logged with timestamps and actor identity.

Compliance & legal

  • OPEN Government Data Act. All data is sourced under federal open-data policy. Commercial use is explicitly authorized; there are no restrictions on redistribution of the underlying records themselves.
  • DOL API terms.FastDOL operates within the Department of Labor's API usage terms; the required disclaimer (“data is not endorsed or certified by DOL”) appears on every employer profile.

Reporting a vulnerability

For security questionnaires, vendor assessments, or to report a vulnerability, email security@fastdol.com. We aim to acknowledge reports within one business day and to confirm remediation status within seven. We don't currently run a formal bug-bounty program but are happy to credit researchers in a public hall of fame on request.