Skip to content
BHTN
Trust & security

How we operate, what we log, where to report.

A security-positioned product only holds up if the marketing site holds up too. This page documents the posture of bhtn.io and points to the product-side material available under NDA.

Get Started with Us
01 Site security headers

What bhtn.io sends on every response.

Every HTML response from CloudFront carries the headers below. These are enforced in Terraform via a CloudFront response-headers policy and are not opt-out per page.

Response headers
  • Strict-Transport-Security
    max-age=63072000; includeSubDomains; preload
    2-year HSTS with preload eligibility.
  • Content-Security-Policy
    default-src 'self'; script-src 'self' 'unsafe-inline' https://plausible.io; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; connect-src 'self' https://plausible.io; frame-ancestors 'none'; base-uri 'self'; form-action 'self'
    Whitelist-based. 'unsafe-inline' is present because the static site ships small bundled inline scripts (nav menu, video play). No user-generated content means negligible XSS surface; can be tightened to hashes or nonces later.
  • X-Frame-Options
    DENY
    Site cannot be embedded in another frame.
  • X-Content-Type-Options
    nosniff
    MIME sniffing disabled.
  • Referrer-Policy
    strict-origin-when-cross-origin
    Outbound referrer headers are minimized.
  • Permissions-Policy
    accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
    All sensitive browser APIs denied.
  • Cross-Origin-Opener-Policy
    same-origin
    Window isolation enforced.
  • X-Permitted-Cross-Domain-Policies
    none
    Adobe/Flash-era cross-domain policy locked down.

You can verify these yourself with curl -I https://bhtn.io after DNS cutover, or with Security Headers (securityheaders.com).

02 Site posture

What bhtn.io does.

Operational choices that make the site harder to attack and cheaper to audit.

Self-hosted fonts

Inter and JetBrains Mono are bundled with the site. No Google Fonts, no third-party CDN on any request.

Self-hosted everything

No ad-tech, no session recording, no fingerprinting, no third-party analytics by default. Plausible is wired but flag-off; if we enable it, we will update this page and /privacy.

HTTPS only

CloudFront redirects all HTTP to HTTPS. TLS 1.2 minimum. HSTS preload-eligible.

Private origin

The S3 bucket that holds site assets is private. CloudFront fetches via Origin Access Control (OAC, SigV4-signed); no public bucket policy, no direct S3 access.

Terraform-managed infra

Every piece of bhtn.io infrastructure is described in version-controlled Terraform. No manual console edits. Drift is visible in diff.

OIDC deploys

GitHub Actions deploys via short-lived OIDC credentials into a deploy-only IAM role. No long-lived AWS access keys exist for the deploy path.

Branded 404

No error page leaks a stack trace or server version. CloudFront serves a branded 404.html for any unknown route.

03 What we don't do

Enumerated, not implied.

A site that tells you what it doesn't collect is more useful than a page-long privacy policy that implies it.

  • Set tracking cookies.
  • Sell, rent, or trade any personal information.
  • Run ad-tech, retargeting pixels, or third-party marketing scripts.
  • Record sessions or fingerprint visitors.
  • Log request bodies. CloudFront access logging is disabled today; if re-enabled, standard CDN fields only, 30-day retention.
  • Store contact-form submissions in a database. There is no contact form — only direct email.

Full detail in the Privacy Policy. If anything on that page contradicts this list, the Privacy Policy is authoritative.

04 Product security (ZeRDA)

The product runs in your account. Permanently.

BHTN does not host customer data paths and has no plan to. Both ZeRDA and ZEN-D deploy via Terraform into the customer's own infrastructure. This is architectural, not a deployment option — and it's why the compliance math works the way it does.

01

19/19 STRIDE mitigated

Full STRIDE threat model enumerated, mitigated in architecture, validated in tests. Methodology available under NDA.

02

Customer-hosted by design, permanently

ZeRDA and ZEN-D both deploy into the customer's own infrastructure via Terraform. BHTN is never on the data path — not today, not in any planned tier. That is an architectural commitment, not a deployment option.

03

Ephemeral keys and fragments

Per-transfer ephemeral keys with standards-based AEAD, erasure-coded shards, byte-wiped after use or TTL expiry (fail-closed, measured in seconds).

04

Four plane separation

Bulk, critical-redundancy, metadata, and key-custody planes run with independent mTLS identities and network paths. Compromise of any single plane yields nothing usable.

Technical overview Request NDA briefing
05 Compliance posture

We say only what's true today.

Certifications and attestations matter when the thing being certified actually exists. Here is where we are.

What's true today
  • Customer-hosted by design, permanently. ZeRDA and ZEN-D both deploy into customer infrastructure; BHTN is never on the data path in any tier, current or planned.
  • PCI-DSS, HIPAA, and SOX scope reduction is architectural — the intermediate infrastructure holds nothing at rest, so it's out of scope by design.
  • 19/19 STRIDE threat model. Full report available under NDA.
  • Signed compliance & security documentation for enterprise engagements (ELA).
What we don't claim
  • SOC 2 certification. BHTN does not host customer data paths, so a SOC 2 on BHTN-operated services would audit the wrong thing. When a customer requires a service-organization attestation, we scope one for the relevant service boundary at that time.
  • ISO 27001 / FedRAMP / other framework certifications. Same reason. Applicable at the customer's deployment boundary, not ours.
  • Third-party penetration test report. Pre-launch. Methodology and internal test results are available under NDA.
06 Vulnerability reporting

Coordinated disclosure.

If you believe you've found a vulnerability in bhtn.io, we want to hear from you. This section states the ground rules.

  • Where to send
    info@bhtn.io
    Subject line "Security".
  • What's in scope
    bhtn.io, any *.bhtn.io subdomain, and public content we ship from this domain.
    Out of scope: customer-hosted ZeRDA and ZEN-D deployments — those always run in the customer's own infrastructure, so they belong to the customer's bug-bounty or disclosure program.
  • Response target
    We acknowledge within one business day and triage within three.
    We coordinate disclosure timelines with reporters in good faith.
  • Safe harbor
    Good-faith research that avoids data exfiltration, service degradation, and user harm will not be pursued legally.
    Please avoid social engineering, physical attacks, and anything that affects other users.
Report a vulnerability
Due diligence

Evaluating us for a pilot or partnership?

The threat model, the full STRIDE report, benchmarking methodology, and deployment reference are available under NDA for qualified technical evaluators.

Request NDA briefing Technical overview