Security

Security Policy

JAKUU handles user accounts, prediction market intelligence, and financial-adjacent data. We take platform security seriously and apply defence-in-depth across every layer of the stack.

This page describes our security posture, the controls we have in place, and how to reach us if you find a vulnerability.

Infrastructure & Platform

Cloudflare Edge

All traffic is proxied through Cloudflare. DDoS protection, WAF with OWASP managed rules, and bot mitigation are active on both jakuu.ai and app.jakuu.ai.

TLS & HTTPS

TLS 1.2 minimum, TLS 1.3 preferred. HTTPS is enforced on all routes. HSTS is enabled with includeSubDomains; preload — max-age 1 year.

Serverless Architecture

JAKUU runs on Cloudflare Workers and Pages — no traditional servers, no SSH access surface, no exposed ports. The attack surface is minimal by design.

Data Storage

User data is stored in Cloudflare D1 (SQLite). All database queries use parameterised statements — no string interpolation of user input into SQL.

Authentication & Sessions

Passwords are hashed with PBKDF2-SHA256 (210,000 iterations) with a cryptographically random 256-bit salt per user. Plaintext passwords are never stored or logged.

Session tokens are 256-bit values generated from crypto.getRandomValues — the browser and Worker CSPRNG. Sessions expire after 30 days and are invalidated server-side on logout.

Login attempts are rate-limited per IP and per identifier. Brute-force attempts trigger a 60-second lockout after 5 failed attempts. Error messages do not distinguish between unknown username and wrong password.

Data Handling

We collect the minimum data required to operate the platform: username, email address (for password reset), Polymarket wallet address (optional), and Telegram handle (optional for alerts).

We do not sell user data. Email addresses are used only for account operations — password reset, subscription notifications — and are never shared with third parties for marketing purposes.

Prediction market positions and AI-generated intelligence signals are associated with accounts for the purpose of personalised analysis. This data is not shared with other users without explicit opt-in (community sharing feature).

For full details see our Privacy Policy.

Security Controls

HSTS Preload CSP Enforced X-Frame-Options: DENY Cloudflare WAF Bot Protection Rate Limiting PBKDF2-SHA256 ×210k 256-bit Session Tokens Parameterised SQL No Secrets in Source TLS 1.3 Referrer-Policy

Independent Verification

Our security posture is independently verified by third-party scanners. Results are publicly accessible and update automatically — no self-certification.

Security Headers

Scans HTTP response headers against current best practice. Grade A confirms all critical security headers are correctly configured on both jakuu.ai and app.jakuu.ai.

VIEW LIVE SCAN RESULTS →

Mozilla Observatory

Mozilla's web security scanner audits headers, CSP, CORS, cookie security, and HSTS. Grade B reflects a strong baseline — the only deduction is CSP strictness (inline scripts required for current architecture).

VIEW LIVE SCAN RESULTS →

Responsible Disclosure

We welcome security research on JAKUU. If you discover a vulnerability, please report it to us privately before public disclosure. We aim to acknowledge all reports within 48 hours and resolve critical issues within 7 days.

We ask that you do not access, modify, or delete user data; disrupt service availability; or perform testing that could impact other users. Automated scanning beyond basic header checks is not permitted without prior approval.

Report a Vulnerability

Email: security@jakuu.ai
Please include a clear description, steps to reproduce, and any supporting evidence. We will respond within 48 hours.

Last updated: March 2026 · security.txt