security

Last updated: February 2026

Latent Patterns is a small, deliberately simple service. We minimise our attack surface by minimising what we collect and what we run. This page describes how we protect your data and what you can expect from us.

1. infrastructure

Latent Patterns runs as a single Node.js process behind a reverse proxy (Caddy) that handles TLS termination. The server is hosted on dedicated infrastructure — not a shared hosting platform.

• All connections are served over HTTPS with TLS 1.2+.
• HTTP requests are redirected to HTTPS.
• Static assets are served directly by the reverse proxy.
• The admin interface is protected by WebAuthn passkey authentication (FIDO2).

2. data storage

User data is stored in a local SQLite database running in WAL mode. The database is not exposed to the network — it is accessed only by the application process.

• The database stores email addresses, session identifiers, subscription state, and lesson progress.
• We do not store passwords. Authentication uses single-use magic links.
• We do not store payment card details. All payment processing is handled by Stripe. We store only a Stripe customer ID and subscription status.
• Content (courses, glossary) is static and stored on disk — not in the database.

3. authentication

We use a passwordless magic link flow. There are no passwords to leak, brute-force, or reuse.

• Magic link tokens are cryptographically random, single-use, and expire after 15 minutes.
• Sessions are identified by a cryptographically random token stored in an httpOnly, Secure, SameSite=Lax cookie.
• Sessions expire after 30 days.
• Session tokens cannot be read or manipulated by client-side JavaScript.
• Admin users authenticate with WebAuthn passkeys (FIDO2 standard). Private keys never leave the authenticator device.
• Admin sessions use a separate cookie (admin_session) with SameSite=Strict and a 4-hour expiry.
• Destructive admin actions (user deletion, impersonation) require passkey re-authentication.

4. third-party services

We use a minimal set of third-party services:

• Stripe — payment processing. Stripe handles all card data and is PCI DSS Level 1 certified. We receive subscription lifecycle events via signed webhooks.
• SMTP provider — for sending magic link emails. The provider sees recipient email addresses and email content (the login link).

We do not use third-party analytics, advertising networks, tracking pixels, CDNs for user-specific content, or any service that profiles our users.

5. data retention

• Account data is retained for as long as your account exists.
• Expired session records are periodically purged.
• Used magic link tokens are retained briefly for audit purposes and then purged.
• Application audit logs (login events, content access, payment events) are retained for a minimum of 30 days and then purged.
• If you delete your account, all associated data — sessions, progress, subscription records — is permanently removed.

6. application security

• CSRF protection — SvelteKit provides built-in CSRF tokens for form actions. Session cookies use SameSite=Lax (Strict for admin).
• SQL injection — all database queries use parameterized statements via Drizzle ORM.
• XSS protection — SvelteKit escapes template output by default. Session cookies are httpOnly.
• Webhook verification — Stripe webhooks are verified using HMAC signature validation on the raw request body.
• Audit logging — all authentication events, admin actions, and payment events are logged with timestamps and actor information.

7. what we don't do

• We do not store passwords.
• We do not store payment card numbers.
• We do not run third-party JavaScript (analytics, ads, social widgets).
• We do not use tracking cookies.
• We do not sell or share user data with anyone beyond the services listed above.
• We do not have a public-facing API beyond what the application itself uses.

8. cookies

We use two essential cookies:

• session — user authentication. httpOnly, Secure, SameSite=Lax. 30-day expiry.
• admin_session — admin authentication. httpOnly, Secure, SameSite=Strict. 4-hour expiry.

No tracking cookies, no third-party cookies.

9. reporting a vulnerability

If you discover a security vulnerability, please report it responsibly. Do not open a public issue.

• Email security@latentpatterns.com with a description of the issue and steps to reproduce.
• We will acknowledge your report within 48 hours.
• We ask for a 90-day disclosure window to investigate and remediate before public disclosure.

Our security.txt is available at the standard well-known URI.

10. contact

For security questions or concerns: security@latentpatterns.com