Security

At TheCore, security is not an afterthought — it's built into every layer of our platform. We implement industry-standard security practices to protect your data, ensure privacy, and maintain the trust you place in us.

1. Data Encryption

1.1 Data in Transit

All data transmitted between your browser, our servers, and third-party APIs is encrypted using TLS 1.2+ (Transport Layer Security). This ensures that data cannot be intercepted or tampered with during transmission.

• HTTPS enforced on all web pages
• Secure WebSocket connections for real-time features
• API communication over encrypted channels

1.2 Data at Rest

Sensitive data stored in our database is protected using:

• Password Hashing: User passwords (if stored) are hashed using bcrypt with salt
• API Key Hashing: Bot API keys are stored as SHA-256 hashes
• Database Encryption: Database files are protected with filesystem-level encryption

2. Authentication and Access Control

2.1 Discord OAuth 2.0

TheCore uses Discord OAuth 2.0 for user authentication. We do not store passwords — authentication is handled securely by Discord. Users authorize our application to access specific Discord data (user ID, username, email).

2.2 Session Management

• Secure, time-limited session tokens
• Automatic session expiration after inactivity
• Session invalidation on logout
• Protection against session fixation and hijacking

2.3 Role-Based Access Control (RBAC)

TheCore implements strict role-based permissions:

• Super Admin: Full platform access (TheCore staff only)
• Client Admin: Full access to assigned Discord servers and team management
• Client User: Limited read-only or delegated access

Users can only access data from Discord servers they are authorized to view. Cross-client data leakage is prevented through database-level tenant isolation.

2.4 Bot API Authentication

Discord bots authenticate with our backend using API keys (SHA-256 hashed). Each bot-server pair has a unique API key, and unauthorized requests are rejected.

3. Multi-Tenant Data Isolation

TheCore is a multi-tenant platform, meaning multiple clients use the same infrastructure. We ensure complete data isolation:

• Each client is assigned a unique client_id in the database
• All queries filter by client_id to prevent cross-client data access
• Server-side access control validates permissions on every request
• No client can view or modify another client's data

4. Data Privacy and Minimization

4.1 Privacy by Design

We follow privacy by design principles:

• No Full Message Storage: We do NOT store complete Discord messages, only metadata (message IDs, timestamps, length)
• Limited AI Samples: Only message samples (up to 500 characters) are sent to AI for sentiment analysis
• User Anonymization: We store Discord user IDs, not personally identifiable information (PII)
• Minimal Data Collection: We only collect data necessary to provide our services

4.2 GDPR Compliance

TheCore is fully compliant with the General Data Protection Regulation (GDPR):

• Users have the right to access, rectify, or delete their data
• We provide data portability (export your data in JSON format)
• We obtain explicit consent before processing personal data
• We maintain audit logs of data access and processing
• We respond to data subject requests within 30 days

5. Infrastructure Security

5.1 Server Security

• Servers are hosted in secure, certified data centers
• Regular security patches and OS updates
• Firewall protection and intrusion detection systems (IDS)
• Network segmentation to isolate services

5.2 Database Security

• SQLite database with restricted file permissions
• Automated daily backups with encryption
• Database access restricted to authorized backend services only
• Protection against SQL injection via parameterized queries

5.3 Application Security

• Input validation and sanitization on all user inputs
• Protection against XSS (Cross-Site Scripting) attacks
• CSRF (Cross-Site Request Forgery) token validation
• Rate limiting to prevent abuse and DDoS attacks
• Regular security code reviews

6. Incident Response and Monitoring

6.1 Security Monitoring

We continuously monitor our systems for suspicious activity:

• Real-time logging of authentication attempts, API requests, and database queries
• Automated alerts for unusual patterns (e.g., multiple failed logins)
• Bot health checks and uptime monitoring

6.2 Incident Response

In the event of a security incident:

• We will investigate and contain the breach immediately
• Affected users will be notified within 72 hours (as required by GDPR)
• We will take corrective action to prevent future incidents
• A post-incident report will be published (if appropriate)

7. Third-Party Security

We carefully vet all third-party services we integrate with:

• Discord: Industry-leading OAuth 2.0 authentication
• AI Providers: We may use Groq, OpenAI, Anthropic (Claude), or Google (Gemini) to process message samples for sentiment analysis and insights. Each provider has unique strengths, and we select the most appropriate model for each use case. All providers maintain enterprise-grade security standards and comply with relevant privacy regulations.
• Stripe (Payment Processing): We use Stripe for secure payment processing. Stripe is PCI DSS Level 1 compliant and handles all sensitive payment information. We never see or store your full credit card details — all payment data is encrypted and processed directly by Stripe.

We do not use third-party advertising or tracking services.

8. Employee Access and Training

• Access to production systems is restricted to authorized personnel only
• All staff are trained on security best practices and GDPR compliance
• Principle of least privilege: employees have access only to data necessary for their role
• Audit logs track all administrative actions

9. Vulnerability Disclosure

We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue, please contact us at:

Email: hello@thecommunitycore.com
Subject: Security Vulnerability Report

We commit to:

• Acknowledge your report within 48 hours
• Investigate and address the issue promptly
• Keep you informed of our progress
• Credit you publicly (if you wish) upon resolution

10. Compliance and Certifications

TheCore complies with:

• GDPR (General Data Protection Regulation) — Full compliance with EU data protection laws
• Discord Developer Terms of Service — We adhere to Discord's policies for bot developers
• Industry Best Practices — OWASP Top 10, NIST Cybersecurity Framework

11. User Responsibilities

While we implement strong security measures, you also play a role:

• Use strong, unique passwords for your Discord account
• Enable two-factor authentication (2FA) on Discord — This is strongly recommended for all users and may be required for Client Admins
• Do not share your account credentials
• Report suspicious activity immediately
• Keep your browser and devices secure

12. Questions and Contact

If you have questions about our security practices, contact us at:
Email: hello@thecommunitycore.com
Website: https://thecommunitycore.com

This Security page is part of our commitment to transparency and trust. We continuously improve our security posture and will update this page as our practices evolve.