Compliance

Trust, posture, & privacy matrices.

takedowns is designed with strict data minimization principles. We map technical protocols directly to user safety requirements.

Security Architecture

takedowns operates inside a hardened Node.js deployment environment. We enforce strict Content Security Policies (CSP) via Helmet headers, restricting script execution origins, base-uri paths, and prohibiting inline script handlers to mitigate cross-site scripting (XSS) risks.

All network channels route exclusively over TLS 1.3 encryption, ensuring confidentiality and protection against packet-level eavesdropping.

Data Protection

We apply layered request-validation controls on every state-modifying operation to verify browser origin and prevent cross-organization exposure. All database entries are isolated in per-tenant partitions, and direct object references are never exposed through public endpoints.

Perceptual matching is performed in isolated processing pipelines. Raw media is never persisted on takedowns infrastructure — only fingerprints and metadata leave a trace.

Evidence Handling

Evidence logs are chronologically structured. When operators verify exposing links, the platform exports a complete, self-contained record of the target page — including scripts, styles, and any embedded media — into a tamper-evident evidence bundle.

These bundles are stored in isolated directories outside the public web root, protected from indexing, and checksummed to maintain a defensible chain of custody for legal holds.

Authentication

User credentials are protected with strong adaptive password hashing, salted per account. Session tokens are short-lived, rotated continuously, and bound to secure browser cookies to prevent client-side interception.

Multi-factor authentication is available for every account, ensuring protection even if a primary password is compromised.

Billing

All subscriptions, plan changes, and transactions are processed directly via secure Stripe APIs. takedowns servers never store, process, or see raw credit card values, utilizing Stripe's client-side inputs and webhook checks to manage billing states.

Permissions

We enforce strict Role-Based Access Control (RBAC). General advocates access only assigned survivor case directories. Organization managers manage billing details, and superadmins execute security settings and key rotations. Every configuration adjustment is recorded in system logs.

Transparency & Disclaimers

takedowns is an automated workflow, evidence collection, and compliance notification platform. We are not a law enforcement organization, database index, private investigator service, or legal counsel.

We provide structured technical tools to speed up takedown notices and maintain proof logs. We believe in transparency, publishing data-minimization policies, and running regular server-level safety scans.