Security & Privacy

Your trust is our foundation

Introduction

At Bay Tides, we believe privacy is a fundamental right. Our infrastructure is designed from the ground up to protect your data, respect your anonymity, and provide secure access to information—even in regions where internet freedom is restricted.

Protected Cloudflare Project Galileo
Compliant WCAG 2.2 AAA
Enforced Zero Tracking

Infrastructure Security

Enterprise-grade protection for a nonprofit mission

DDoS Mitigation

Unlimited protection against volumetric, protocol, and application-layer attacks. Malicious traffic is absorbed at the edge before reaching our servers.

Web Application Firewall

Managed rulesets block SQL injection, cross-site scripting, and OWASP Top 10 threats automatically, with custom rules for our specific needs.

Bot Management

Machine learning-powered detection blocks credential stuffing, content scraping, and automated abuse while allowing legitimate traffic through.

TLS 1.3 Encryption

All connections use the latest encryption standard. HTTPS is enforced site-wide with HSTS preloading and automatic certificate management.

Static Architecture

No server-side database means no SQL injection, session hijacking, or server compromise risks. Attack surface is minimized by design.

Global CDN

Content is served from 300+ edge locations worldwide, reducing latency and providing redundancy against regional outages or attacks.

Privacy Features

Tools and practices that protect your anonymity

Tor Hidden Service

Access Bay Tides via our .onion address for complete anonymity. Your IP address is never visible to our servers when using Tor.

Snowflake Proxy

We run a Tor Snowflake proxy to help people in censored regions access the free internet, supporting global digital freedom.

No Fingerprinting

We don't use browser fingerprinting, canvas tracking, or any technique to identify users across sessions.

System Fonts

We use your device's native fonts instead of Google Fonts, eliminating requests to Google's servers when you visit.

No Social Trackers

No Facebook Pixel, Twitter widgets, or social media embeds that monitor your browsing behavior across the web.

Local Preferences

Your settings (theme, accessibility options) are stored locally in your browser, never transmitted to our servers.

What We Don't Collect

Privacy means not collecting data in the first place

  • IP addresses or device fingerprints
  • Browsing history or search history
  • Click patterns or mouse movements
  • Gender or demographic profiling
  • Names or emails (unless voluntarily provided)
Read Full Privacy Policy

Self-Hosted & Open Source

We control our infrastructure so your data doesn't end up with third parties

We believe privacy promises are only as good as the infrastructure behind them. That's why we self-host as much as possible using open-source software. When your data stays on systems we control, we can actually guarantee where it goes—and where it doesn't.

Plausible Analytics

Privacy-focused web analytics with no personal data collection and full GDPR compliance.

Your browsing data stays on our infrastructure, not with Google or other ad-tech companies.

Form Processing

Contact forms are processed by our own Cloudflare Workers—no third-party form services.

Your messages go directly to us without passing through data-collecting intermediaries.

Document Platform

Volunteer waivers and forms are generated client-side using open-source PDF libraries.

Your personal information never leaves your browser until you explicitly submit it.

Our Open Source Commitment

We prioritize open-source solutions because they can be audited, verified, and trusted by the community. Proprietary software often comes with hidden data collection—open source doesn't. When we say your data is private, you can verify it yourself.

Security Practices

How we maintain security throughout our development lifecycle

Automated Security Scanning

GitHub

Dependabot monitors all dependencies for known vulnerabilities and automatically creates pull requests for security updates.

Code Review

GitHub

All code changes require review before deployment. No direct commits to production branches.

Continuous Integration

GitHub Actions

Automated testing, linting, and security checks run on every pull request before merge.

Content Security Policy

Cloudflare

Strict CSP headers prevent XSS attacks by controlling which resources can be loaded.

Subresource Integrity

Build Process

External resources include integrity hashes to prevent tampering.

Security Headers

Cloudflare

X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers are enforced.

Report a Vulnerability

Help us keep Bay Tides secure

We take security seriously and appreciate responsible disclosure of any vulnerabilities you may find. If you discover a security issue, please report it to us privately.

Contact Form

Use our secure contact form to report vulnerabilities privately

GitHub

Open a private security advisory

What to Include

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any suggested remediation

We commit to acknowledging reports within 48 hours and will work with you to understand and address the issue. We do not pursue legal action against researchers who act in good faith.

Explore our commitment to privacy and transparency through our policies and practices.

Privacy Policy Terms of Service Accessibility