Auditable · Open source · No bullshit

Your cloud credentials never leave the bank vault.

FreeTier Sentinel is a solo-built, fully open-source SaaS. Every line of code is auditable. This page summarizes how we handle the three things that actually matter — your API tokens, your payments, and your identity.

Encryption

AES-256-GCM at rest. TLS 1.3 in transit. Master key in Workers Secrets, never in DB.

Access

We require read-only usage-scope tokens only. Tokens with write or billing scopes are explicitly rejected.

Compliance

GDPR-aligned, EU-Frankfurt deployable. SOC 2 in progress. MIT-licensed, fully self-hostable.

01 Your API tokens

To monitor your free-tier usage, FreeTier Sentinel needs read-only / usage-scope tokens from the cloud SaaS providers you connect (Cloudflare, Vercel, GitHub Actions, etc.). We never request tokens with provisioning, billing, or write permissions.

At rest: AES-256-GCM encryption in Cloudflare D1. Each token has its own IV.
Master key: lives in Cloudflare Workers Secrets, separate from the database. Stolen DB without the key = unreadable ciphertext.
In transit: TLS 1.3 to all cloud SaaS APIs.
In code: open source — read it yourself: github.com/wndnjs3865/freetier-sentinel.

The clearest version of this: we cannot see your AWS root credentials, your Cloudflare account password, your GitHub OAuth refresh token, or your Vercel team-admin scope. The tokens we hold can read usage counters and nothing else.

02 Payments

Payments are processed by Polar via Stripe Connect (PCI DSS Level 1). FreeTier Sentinel never sees, stores, or transmits card details — only Polar/Stripe ever touch them. We receive a customer ID and a webhook event ("subscription.active") signed with HMAC-SHA256 (standardwebhooks).

Card data path: your browser → Polar checkout (polar.sh) → Stripe (PCI DSS Level 1). FreeTier Sentinel is not on this path.
What we receive: a webhook event with a customer ID and your email, nothing more.
Refunds: full refund within 7 days, no questions asked. Email support.

03 Authentication

FreeTier Sentinel uses magic-link auth — no passwords. We email you a 6-digit code with a short TTL. There's nothing to hash, nothing to leak in a breach.

Magic-link codes are single-use and expire in 15 minutes.
Sessions are HTTP-only, Secure, SameSite=Lax cookies signed with a server-side secret. 30-day default lifetime; sign out anywhere with one click.

04 Subprocessors

Per Plausible-style disclosure, every third-party service that touches your data:

Subprocessor	Purpose	Region
Cloudflare Workers	App runtime (compute)	Global edge
Cloudflare D1	Relational database	Configured per account
Cloudflare KV	Session + short-lived state	Global edge
Polar.sh	Billing & merchant of record	EU / US
Stripe Connect	Card processing (via Polar)	Global, PCI DSS L1
Resend	Transactional email (alerts, magic links)	US / EU

05 Open source

All server-side and client-side code is on GitHub: wndnjs3865/freetier-sentinel. License: MIT. You can self-host it for free if you don't trust the hosted version — that's the whole point of an open-source indie SaaS.

06 Reporting a vulnerability

Email wndnjs3865@gmail.com with the subject [security]. I read security mail before everything else. Solo dev — no formal bounty program (yet), but I'll credit you publicly with permission and fix in the open. Please give me a reasonable disclosure window before publishing details.

07 What we don't do

We don't have a SOC 2 report. Solo SaaS, post-launch consideration.
We don't sell your data. Ever. There's no funnel for that to even exist in.
We don't track you across the web. Cookies are session + auth only.

Last updated: 2026-05-08. If you're a security researcher and something here looks weak, please write — I'd rather hear it from you than from an attacker.