Security

301.st is built around a simple idea: the safest operating model is one where your infrastructure stays in your hands and the platform only gets the access it actually needs.

Security Starts With Boundaries

Because 301.st operates through credentials and provider access that customers supply, our security model is built around clear boundaries, scoped permissions, and minimizing unnecessary trust.

The product should make operations easier without asking teams to give up ownership or lose visibility into what they are authorizing.

How We Think About Access

  • Use scoped credentials and provider permissions wherever the workflow allows.
  • Treat customer-owned infrastructure as customer-owned, not as something 301.st should silently take over.
  • Keep important account and integration actions visible enough to review and investigate when needed.
  • Reduce hidden coupling between product features and provider access.

What We Protect

  • Account access and authentication flows.
  • Integration credentials and other sensitive connection data.
  • Configuration data for projects, sites, redirects, and related workflows.
  • The platform itself from abuse, clearly harmful activity, and unauthorized access attempts.

Practical Security Measures

  • Encrypted transport for web traffic and authenticated service communication.
  • Credential handling designed to limit unnecessary exposure and reduce long-lived trust where possible.
  • Reasonable logging and monitoring for account, integration, and operational events.
  • Ongoing review of public surfaces, dependencies, and product changes as the platform evolves.

Responsible Disclosure

If you believe you found a security issue, please report it privately before public disclosure so we have a fair chance to review and address it responsibly.

  • Send reports to: security@301.st
  • Please include: affected page or flow, steps to reproduce, and what impact you believe is possible.
  • Please avoid: accessing data you do not own, disrupting service, or expanding testing beyond what is reasonably necessary to demonstrate the issue.

What We Ask From Customers

  • Protect your own account credentials and internal access processes.
  • Use provider tokens and permissions that match the least access your workflow actually needs.
  • Rotate or revoke credentials when team membership, risk posture, or provider policy changes.
  • Review production changes carefully, especially when they can affect routing or infrastructure behavior.

Need to Reach Us?

For security matters, contact security@301.st. For privacy questions, see the Privacy Policy. For broader product guidance, use the Documentation or Contact page.

Last updated: April 5, 2026