Security

FolioNames employs a defence-in-depth approach to platform security. Every tool runs inside a sandboxed iframe with a strict Content Security Policy (CSP). Tools cannot access the parent page, local storage, or any user data outside their sandbox. All tool code is encrypted at rest using AES-256 with per-tool initialisation vectors and salts. Decryption only occurs at execution time within the sandboxed environment. We use Subresource Integrity (SRI) hashes to verify that tool code has not been tampered with between review and execution. Any mismatch triggers an immediate block.

Our trust model is built on layered verification: 1. Creator Verification — All creators undergo identity verification before they can publish tools. This includes document checks and social profile linking. 2. Automated Security Scanning — Every tool submission passes through automated static analysis, dependency scanning and behavioural analysis before human review. 3. Human Review — Our security team manually reviews every tool before approval. We check for data exfiltration, phishing, misleading behaviour and compliance with our Acceptable Use Policy. 4. Trust Scores — Each tool and creator maintains a trust score based on review outcomes, user reports, uptime history and code quality metrics. 5. Continuous Monitoring — Published tools are continuously monitored for uptime, behavioural changes and security regressions. Anomalies trigger automatic suspension pending review.

When a creator submits a tool, it goes through our multi-stage review pipeline: Stage 1: Automated Scanning - Static analysis for known vulnerability patterns - Dependency audit against CVE databases - Network request analysis to detect data exfiltration - EU AI Act risk level classification Stage 2: Sandbox Testing - The tool is executed in an isolated environment - All network requests are logged and analysed - Performance budgets are checked - Accessibility scores are computed Stage 3: Human Review - A member of our security team reviews the code - They verify the tool does what it claims - They check for compliance with our policies - They assess the AI risk level classification Stage 4: Post-Publication Monitoring - Continuous uptime health checks - Periodic re-scanning for new vulnerabilities - User report monitoring - Anomaly detection on usage patterns

Tools that need to make network requests must declare their endpoints upfront. Each endpoint is individually reviewed and whitelisted. Our proxy layer ensures tools can only communicate with approved endpoints. All proxied requests are logged for audit purposes. Requests to non-whitelisted endpoints are blocked and flagged for review.

FolioNames is designed with data minimisation as a core principle: - Tool inputs are processed locally in the browser whenever possible - When server-side processing is required, data is tokenised and never stored in plain text - Session replays are opt-in and encrypted - We do not sell or share user data with third parties - All data is processed in compliance with UK GDPR For full details, see our Privacy Policy.

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it via our security.txt file or email security@folionames.com. We commit to: - Acknowledging receipt within 24 hours - Providing an initial assessment within 72 hours - Working with you to understand and resolve the issue - Crediting you (with your permission) in our security advisories Please do not publicly disclose vulnerabilities until we have had reasonable time to address them.