pace-ly.com· Legal

Legal · security

Security & Vulnerability Disclosure

1. Protections in place

  • Encryption in transit. All connections to pace-ly.com and the live API are served over TLS.
  • Encryption at rest. Telemetry blobs and the metadata database are stored on Cloudflare R2 and D1 respectively, both encrypted at rest by Cloudflare.
  • Authentication. Web sessions are managed by Auth.js with JWT-backed cookies (HttpOnly, SameSite=Lax, Secure in production). The Pace-ly Client uses a per-device pairing JWT scoped to the user.
  • Sub-processor isolation. The Anthropic API is called with per-request scoped credentials; we send only the data needed for the chat turn (see the AI Disclosure).
  • Region awareness (roll-out).EU accounts’ telemetry is stored in EU R2 jurisdictions. See the Privacy Policy for the transfer mechanism.
  • Least access. Production credentials are restricted to the operator. No third-party employees, agencies or contractors have access today.

2. Reporting a vulnerability

If you believe you have found a security issue in Pace-ly, please email support@pace-ly.com with the subject line SECURITY:. We aim to acknowledge reports within 72 hours.

Please do not exploit the issue beyond what is necessary to demonstrate it, do not access data belonging to other users, and do not run automated scans against the live service. We will not pursue good-faith researchers who follow these guidelines.

We do not currently operate a paid bug bounty, but we will publicly credit you (with permission) for confirmed reports.

3. machine-readable security.txt

The contact information above is also available at /.well-known/security.txt per RFC 9116.

4. Incident notification

In the event of a personal-data breach posing risk to your rights and freedoms, we will notify the Swedish supervisory authority (IMY) within 72 hours per GDPR Art. 33 and notify affected users without undue delay per Art. 34.