Security at feed.works

How we protect your data, your account, and your reading.

Last updated: April 2026

Where your data lives

feed.works runs on managed infrastructure from providers with strong security track records. We don't operate our own servers.

  • Application hosting: Deno Deploy — edge-deployed, isolated execution per request
  • Data storage: AWS DynamoDB with encryption at rest (AES-256 via AWS KMS)
  • File storage: AWS S3 with server-side encryption (AES-256)
  • Worker processing: AWS Lambda — each job runs in an isolated execution environment
  • All managed services receive provider-maintained security patches. We don't manage operating systems, hypervisors, or hardware.

How we protect your account

  • Passwords are hashed with Argon2id — a memory-hard algorithm designed to resist GPU and ASIC brute-force attacks. We never store passwords in plaintext.
  • Passkeys (WebAuthn) are supported for passwordless login. Your private key never leaves your device.
  • Two-factor authentication (2FA) is available via authenticator app (TOTP).
  • Session tokens are short-lived (15-minute access tokens with 7-day refresh tokens), HMAC-signed, and validated against the database on every request. Revoking a session takes effect immediately.
  • Email verification is required for new accounts.

What happens to your data

  • In transit: All connections use TLS 1.2 or higher. There is no unencrypted path to the service.
  • At rest: All stored data is encrypted via AWS-managed keys (AES-256).
  • Worker outputs are stored in your account only. They are not shared with other users, used for model training, or accessible to feed.works staff except for support purposes at your request.
  • Backups are automated, encrypted, and access-controlled.
  • Deletion: Account deletion triggers a full data purge within 30 days, including backups.

How we build

  • Deno's permission model restricts runtime access by default — no ambient filesystem or network access without explicit grants.
  • Dependencies are audited and pinned to specific versions.
  • Input validation on all API endpoints.
  • Rate limiting on authentication endpoints and API routes.
  • CSRF protection on all state-changing operations.
  • Content Security Policy headers restrict script execution sources.

What we don't do

  • We don't sell or share your data with ad platforms or advertisers.
  • We don't use your feed content to train AI models.
  • We don't store payment card numbers — Stripe handles all payment data.
  • We don't use third-party tracking scripts or analytics that identify individual users.
  • We don't retain data after account deletion beyond the 30-day purge window.

Found something? Tell us.

We take security vulnerabilities seriously. If you've found an issue:

  • Email: security@feed.works
  • We'll acknowledge receipt within 24 hours
  • We'll provide a timeline for a fix within 72 hours
  • We won't take legal action against good-faith security researchers

What we ask in return:

  • Don't access other users' data
  • Don't disrupt the service
  • Give us reasonable time to fix before disclosing publicly

Questions? Email security@feed.works — we're happy to answer specific questions about how we protect your data.