Security & Compliance

WRL is built on Cloudflare’s global infrastructure with cryptographic integrity at its core. Every security claim on this page is backed by the public codebase — verifiable by anyone. This page is a summary; full documentation lives at docs.webresourceledger.com/security/.

Compliance

GDPR

WRL is operated from Germany and processes personal data in compliance with the General Data Protection Regulation (GDPR). A Data Processing Agreement (DPA) is available for enterprise and B2B customers who require one for their own compliance obligations.

Subprocessors

We maintain a published subprocessor list with the purpose, data processed, location, and data transfer mechanism for each third-party processor (Cloudflare, Coralogix, GitHub, Stripe, and others).

EU Data Processing

Operational logs are processed exclusively in Coralogix’s EU2 region. Log data contains pseudonymized identifiers only — no raw personal data. See the subprocessor list for data transfer mechanisms for all processors.

Incident Response

We maintain a documented incident response procedure. In the event of a personal data breach, affected customers will be notified within 48 hours, and the supervisory authority within 72 hours per GDPR Article 33.

Cryptographic Integrity

Ed25519 Signatures

Every capture bundle is signed with Ed25519 before it leaves the worker. The signature covers the complete WACZ archive — screenshot, rendered HTML, HTTP headers, and metadata. Any modification after signing invalidates the signature. The verification process is documented and open to independent audit.

RFC 3161 Timestamps

Each capture receives a standard RFC 3161 timestamp from DigiCert, anchoring it to a cryptographically attested point in time. Captures with the eIDAS add-on also receive a qualified timestamp from Sectigo, which carries legal presumption of accuracy across all EU member states under eIDAS Article 41(2).

Privacy Engineering

IP Address Pseudonymization

Raw IP addresses are never stored. For rate limiting and abuse prevention, we compute an HMAC-SHA-256 pseudonymized identifier using a daily rotating key. The identifier cannot be reversed to recover the original IP, and a different value is produced each day. This constitutes pseudonymized data under GDPR Article 4(5).

API Key Hashing

API keys are stored as SHA-256 hashes only. The raw key is shown once at creation and never persisted. The same applies to session tokens: only the hash is stored server-side.

Public Source Code

The full WRL codebase is published on GitHub under the PolyForm Shield 1.0.0 license. Every security claim on this page can be verified by reading the code. No trust in our assertions required.

For the complete security documentation, including threat model, key management, and verification procedures, see docs.webresourceledger.com/security/.