Security & Trust

Sloth Lee never forgets — and never tells anyone else.

A guardian who's loose with your data isn't a guardian. Here's how he handles what your community trusts him with.

Your data is yours

GDPR right-to-export and right-to-delete are wired into the dashboard for every account, not just EU. One click on your account hub and you get a JSON archive of every record we hold tied to you. Delete propagates within 24 hours.

Account → Privacy → Export and Delete
Backed by GET /api/me/export and POST /api/me/delete-account
Audit-log entries anonymise rather than disappear (preserves the historical record for other users without identifying you)

Encryption at rest

Sensitive fields — webhook secrets, BYOK AI provider keys — are encrypted before they hit the database with rotating per-record IVs. The plaintext never lives anywhere except in memory during use.

AES-GCM with a per-deployment master key
Webhook subscription secrets are reversibly encrypted so we can sign outbound payloads — but never returned to the UI after creation
Auth tokens, passkey credentials, recovery codes — all hashed

Signed webhook delivery

When Sloth Lee fires a webhook to your infrastructure, every payload is signed with HMAC-SHA256 against your subscription's secret. You can verify it's actually us — and reject any request that doesn't match.

X-Sloth-Signature header on every outbound webhook
RFC 6376 DKIM signing on outbound email via Sloth Mail
Per-subscription secret rotated on demand from the dashboard

Strong authentication

Discord OAuth covers the basic case. For everything sensitive (billing, account changes, data export) we layer second factors — TOTP, email codes, security questions, and full WebAuthn passkey support.

WebAuthn / FIDO2 passkeys (hardware keys, Touch ID, Face ID, Windows Hello)
TOTP via any authenticator app
Email-based 2FA via our self-hosted Sloth Mail relay (no third-party SMTP exposure)
Security questions for last-resort recovery

Audit log that doesn't lie

Every staff action — moderation case, ticket update, settings change, billing event — is recorded with who, when, and why. The log is searchable, exportable, and tamper-evident. Sloth Lee never forgets, but he also doesn't make things up.

Unified timeline across mod / tickets / settings / billing
CSV / JSON export from the dashboard
Automated suspicious-activity detector flags unusual staff patterns
Per-row guild_id keeps audit data isolated between communities

Backups and uptime

Daily encrypted Postgres dumps with optional S3 mirror. 14-day default retention, configurable. The bot self-reports health to a public status page so you can see what we see.

pg_dump → gzip → Railway volume + (optional) S3-compatible bucket
Public /status page polls every minute
Sentry error tracking on the dashboard process
Health endpoints (/health, /health/deep) for external uptime monitoring

Compliance posture

What we cover, what we're working on, what's out of scope.

Honest map of where we stand. We'd rather tell you SOC 2 is a roadmap item than pretend we already have it.

GDPR

Compliant

Self-serve export + delete for all users, not just EU.

Discord ToS

Compliant

Bot operates within Discord's developer policies; no message content scraped beyond the features the user enabled.

SOC 2 Type II

Roadmap

Targeting Q1 2027. Foundations (audit log, access controls, backups, encryption) are already in place.

HIPAA / FedRAMP

Not in scope

Sloth Lee is a community-management product. We don't handle PHI or government data.

Reporting a vulnerability

Found something? Tell us privately.

Email security@slothlee.xyz with the details. PGP welcome — we'll send the key on request. We'll acknowledge within 48 hours and keep you updated through the fix.

We don't have a paid bug bounty yet, but high-impact reports get listed (with permission) on a public hall-of-fame page once it ships. Genuinely useful work doesn't go uncredited.