Cascadeby Aftora
Register Interest
Legal

Security

Last updated: 31 March 2026

This page describes the security posture of the Cascade platform operated by Aftora Limited. If you have found a vulnerability, see the Responsible Disclosure section below.

Architecture security

The Cascade control panel runs on Aftora's edge infrastructure. Your customer workloads — VMs, containers, game servers, databases — run on your own hardware, managed by the Cascadia daemon you install on your nodes.

The fundamental security model is this: Aftora cannot access raw customer workload data. We operate the panel; you operate the hardware. Customer data — VM disk images, container filesystems, database contents, file uploads — never transits Aftora systems. It stays on your nodes.

Transport security

  • All panel-to-browser communication is served over TLS 1.3 via Cloudflare.
  • Communication between the Cascade panel and the Cascadia daemon on your nodes uses an encrypted WebSocket connection (TLS 1.3). Connections are authenticated using per-node tokens generated at installation time.
  • TLS certificates for managed domains are issued and renewed automatically.

Authentication

  • TOTP / 2FA — two-factor authentication via TOTP (compatible with any standard authenticator app) is available on all accounts and enforced for administrator roles.
  • API key management — API keys are scoped, labelled, and can be revoked individually from the panel. Keys are shown only once at creation.
  • Session management — sessions have configurable idle and absolute timeouts. All active sessions are visible and can be revoked from the security settings page.
  • Passwords are hashed using a modern adaptive algorithm (bcrypt/Argon2). Plain-text passwords are never stored or logged.

Infrastructure

  • Primary infrastructure: Hetzner, Germany (EU/EEA). Customer data processed through the panel remains within the EEA.
  • DDoS protection: Cloudflare sits in front of all panel endpoints, providing DDoS mitigation and WAF capabilities.
  • Network isolation: Panel infrastructure is network-isolated from customer node networks. There is no lateral path from the panel to customer workloads — all communication is initiated by the Cascadia daemon over an outbound connection.

What we do not do

  • Card numbers: We do not store payment card numbers. All card processing is handled by Stripe. We receive a token reference only.
  • SSH keys: Raw SSH private keys are not stored server-side. Where SSH access is provisioned via the panel, keys are passed directly to the Cascadia daemon and not retained in the Aftora database.
  • Workload data: We do not log or inspect the contents of customer workloads — VM memory, container filesystems, database rows, uploaded files.

Patch policy

SeverityTarget patch time
CriticalWithin 24 hours of confirmed report
HighWithin 72 hours
MediumWithin 2 weeks
Low / informationalAddressed in next scheduled release

Responsible disclosure

If you have found a security vulnerability in the Cascade platform or any Aftora infrastructure, please report it to us before disclosing it publicly.

Email: security@aftora.io

We aim to acknowledge all reports within 24 hours and will keep you updated as we investigate and remediate.

We do not currently operate a paid bug bounty programme. If you report a valid vulnerability, we will credit you publicly (with your permission) when the fix ships. We ask that you do not exploit the vulnerability beyond what is necessary to demonstrate it, and that you give us reasonable time to address it before any public disclosure.

Contact

Security matters: security@aftora.io
General enquiries: hello@aftora.io
Web: aftora.io