Security & data handling

Written to answer the questions on your vendor security questionnaire, before you have to ask them.

What we hold

Public pages, a watch list, and a tamper-evident record.

Dormouse watches public web pages. The data it stores is mostly copies of those already public pages, plus your list of which URLs to watch, plus metadata about when checks ran and what changed.

It stores no page credentials and no personal data beyond whatever a watched public page itself contains. Delivery credentials and API tokens are never written to the database.

Coverage guarantees

It never silently misses.

The one thing a fixed interval cannot see is a change that appears and disappears entirely between two checks; for sources where that matters, the interval is shortened, and the coverage report shows the actual cadence against the promised one.

Secrets

Credentials stay out of the command line and off disk.

Credentials live only in process memory for the lifetime of a run.

Data at rest & encryption

Encrypted at the volume, verifiable at the record.

State lives in a single database file. For deployments under an encryption-at-rest control, Dormouse runs on an encrypted volume (LUKS, FileVault, an encrypted EBS volume), which covers the database, its write-ahead log, and exports uniformly and is the standard auditable approach. The file is restricted to the service account.

The integrity guarantee is stronger than storage encryption: every page snapshot is addressed by the hash of its content, and every check is chained to the previous one, so tampering is detectable, not merely discouraged. How the proof works.

Network posture

Outbound by default; the one inbound surface is read-only.

Deployment & supply chain

One static binary, source available.

Dormouse is a single static binary with a small, pinned dependency set and no cgo. Because it is source-available under the Business Source License, your engineers can read exactly how it fetches, stores, and verifies — including the integrity code itself. Run it self-hosted on your own infrastructure, or let us run it for you as a managed service.

Disclosure

Report a vulnerability.

Report suspected vulnerabilities privately to [email protected]. We acknowledge within three business days and keep you updated through remediation.

Fuller detail lives in the SECURITY.md that ships with the engine.

Become a founding customer

How the proof works  ·  Sample report