Paloryx Labs
Legal

Security

How we keep your data safe, how we sign you in, and how to report a vulnerability.

Last updated: April 19, 2026

Our approach

Paloryx is a security product. We treat our own security the same way we treat yours: privacy by default, least-privilege everywhere, no clever tricks that can go wrong quietly. The resolver runs on your hardware, your DNS queries never leave your network, and the cloud only receives what it actually needs to do its job.

Data in transit

  • All traffic between the resolver and our cloud is encrypted with TLS 1.2+, with TLS 1.3 preferred. Certificates are validated against the public trust store — no pinning exceptions.
  • The resolver's upstream queries go to Cloudflare, Quad9, and similar providers over encrypted DoH / DoTby default — no plaintext DNS crosses the public internet.
  • The web dashboard at paloryxlabs.com enforces HSTS and modern TLS ciphers.

Data at rest

  • Account and license data lives in Supabase on AES-256 encrypted disks. Per-row access is enforced with Row-Level Security on every table that contains user data.
  • Device API keys are stored as SHA-256 hashes, never in plain text. A leaked database row cannot be used to impersonate a device.
  • Passwords for optional Paloryx Labs accounts are hashed with Argon2id (Supabase's default) and never logged.
  • Payment data is stored by Stripe. We never see or store full card numbers.

Authentication

  • Owner console: the admin UI at paloryxlabs.com/admin requires multi-factor authentication (TOTP, AAL2) and is gated to a single owner email plus a specific admin subdomain.
  • Customer dashboard: supports password and email magic-link sign-in, both via Supabase Auth.
  • Resolver admin UI: the local web UI at 127.0.0.1:8787 requires a username + password set on first run. Admins can enable TOTP for an extra factor.
  • Device activation tokens: one-time tokens issued by the dashboard. They're consumed the first time a resolver uses them; they can't be replayed.

Network security

  • The resolver binds its admin UI to the loopback interface by default. Exposing it to the LAN is opt-in and triggers a clear warning in the UI.
  • The daemon runs as root on macOS only because macOS has no capabilities model equivalent to Linux's CAP_NET_BIND_SERVICE for privileged ports. No third-party C code or cgo binaries ship in the resolver.
  • Software updates are delivered via signed manifests from our cloud and verified by SHA-256 before being applied.

AI advisor

When you use the in-product AI advisor, prompts are proxied through our cloud to Anthropic's Claude API. We do not store prompt contents. We do store a rate-limit counter keyed by device activation so a compromised or abusive install can't exhaust your license's quota. Prompts are never retained for model training.

Audit and monitoring

  • Admin actions in the owner console are written to an append-only audit log that includes actor, action, target, and timestamp. The resolver's local admin UI similarly logs every policy and user change.
  • Infrastructure alerts (auth failures, unusual billing events) go to a private channel monitored by the team.

Vulnerability reporting

If you discover a security issue in Paloryx Resolver or our cloud, please email security@paloryxlabs.com. We'll acknowledge your report within 72 hours and aim to provide an initial assessment within 5 business days.

Please don't publicly disclose the issue until we've had a chance to ship a fix. We'll credit you in the release notes unless you prefer anonymity. We don't currently run a paid bug-bounty program but will consider one-off rewards for high-severity issues.

Scope

  • Paloryx Resolver (all tiers).
  • paloryxlabs.com, paloryxlabs.com/dashboard, paloryxlabs.com/admin.
  • Our public API under /api/v1/*.

Out of scope

  • Denial-of-service attacks or load testing without prior written permission.
  • Findings that require physical access to a device the resolver runs on.
  • Social engineering of Paloryx Labs employees or customers.
  • Self-XSS, clickjacking without a demonstrable security impact, missing security headers without an exploit.

Incident response

If we become aware of a security incident that affects your data, we will notify you via email within 72 hours of confirming the scope, describe what happened in plain language, and lay out the steps we took. We publish post-mortems for significant incidents on this page.

Questions

General security questions: security@paloryxlabs.com. Privacy questions: see our Privacy Policy.