Checkrd

Security

Security is foundational to Checkrd. Your agent traffic never leaves your process boundary without policy evaluation.

Architecture

The Checkrd WASM core runs inside your agent’s process. Policy evaluation and signing happen locally. No data is sent to external servers unless you enable control plane integration.

WASM Sandbox

The core engine runs in a WebAssembly sandbox with no filesystem, network, or system call access. Security is architectural, not trust-based. Even if the core had a vulnerability, the blast radius is zero.

Encryption

TLS 1.2+ for all control plane communication. API keys use 256-bit entropy with SHA-256 hashing.

Data Classification

Checkrd stores only operational metadata (endpoint, method, status code, latency). Request and response bodies are never stored. This keeps the platform out of data-processor regulatory classification.

Infrastructure

Control plane runs on AWS with Aurora PostgreSQL (encrypted, multi-AZ), ElastiCache Redis (encryption at rest and in transit), and WAF protection (OWASP Top 10, rate limiting).

Reporting Vulnerabilities

If you discover a security vulnerability, please email security@checkrd.io. We aim to respond within 48 hours.