Encrypted transport TLS
Public traffic is served over HTTPS/TLS so data is encrypted in transit between clients and services.
Security baseline across the DataWeaveAI portfolio
Our portfolio security model is designed to protect SMB operations, control API spend, and reduce abuse risk while keeping onboarding fast. This page covers the controls currently enforced in production.
Scoped authentication Access
Products use scoped API/auth checks, plan-based entitlements, and role constraints where team features are enabled.
Abuse controls Rate limits
Public and internal bridge endpoints apply per-IP throttles, usage caps, and validation checks to reduce abuse and scraping.
Payment hardening Stripe
Card data is handled by Stripe, with webhook signature verification and entitlement updates after successful payment events.
Control matrix
High-level controls applied to DataWeaveAI portfolio flows.
| Control area | What is enforced | Risk reduced |
|---|---|---|
| Public endpoint protection | Per-IP throttling, stricter payload validation, and approved-origin checks on public portfolio endpoints. | Spam, endpoint brute force, and automated abuse of checkout/listing paths. |
| Internal bridge endpoints | Secret-key header requirements with constant-time compare and additional request throttles. | Unauthorized credit consumption and bridge endpoint misuse. |
| Bundle credit controls | Per-plan shared credit limits, seat constraints, and consumption checks before execution. | Runaway usage, margin collapse, and unrestricted account sharing. |
| Billing and activation | Stripe-hosted checkout, webhook signature verification, entitlement updates after paid events. | Payment spoofing and unauthorized plan activation. |
| Operational visibility | Logging, event tracking, and follow-up notifications on checkout and provisioning flows. | Undetected abuse and delayed incident response. |
API abuse prevention posture
Portfolio APIs and workflow endpoints are designed to be usable for real customers but hostile to spam and abuse. That includes capped usage, metadata size limits, request validation, and stricter endpoint-level rate limits on flows commonly targeted by bots.
Security or abuse report: send details to joseph@dataweaveai.com. Include request path, timestamp (with timezone), and any relevant request IDs.