> ## Documentation Index
> Fetch the complete documentation index at: https://code.dcycle.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> How Dcycle protects your data — API key security, data protection, access control, logging, and incident response

# Security & Compliance

Dcycle is designed for enterprise operational data management. This page covers how we protect your data, manage access, and handle security across the platform and API.

<CardGroup cols={3}>
  <Card title="API Key Security" icon="key" href="#api-key-lifecycle">
    Creation, storage, rotation, and revocation
  </Card>

  <Card title="Data Protection" icon="shield" href="#data-protection">
    Encryption, residency, and GDPR compliance
  </Card>

  <Card title="Logging & Access" icon="clipboard-list" href="#logging--auditability">
    Audit trails, access control, and monitoring
  </Card>
</CardGroup>

***

## API Key Lifecycle

API keys are the primary credential for programmatic access to Dcycle. For step-by-step instructions on creating and using API keys, see [Authentication](/docs/authentication).

| Phase          | What Happens                                                   |
| -------------- | -------------------------------------------------------------- |
| **Creation**   | Generated via Dcycle web UI, bound to the creating user        |
| **Storage**    | Stored in an encrypted PostgreSQL database (AWS RDS, AES-256)  |
| **Protection** | All communication over TLS 1.2+ (HTTPS enforced)               |
| **Rotation**   | Create a new key, migrate integrations, revoke the old one     |
| **Revocation** | Immediate via the UI — all requests with that key return `401` |

<AccordionGroup>
  <Accordion title="Creation">
    API keys are generated from the Dcycle web application under **Settings > API Keys**. Each key is bound to the user who created it — all data uploaded with that key is attributed to that user for audit and compliance purposes.

    Keys are displayed **once** at creation time and cannot be retrieved afterward. You can name keys descriptively (e.g., "Production ETL Pipeline") to track their purpose.

    [How to create an API key →](/docs/authentication#get-an-api-key)
  </Accordion>

  <Accordion title="Server-side storage">
    API keys are stored in an encrypted PostgreSQL database hosted on **AWS RDS** with encryption at rest enabled (AES-256). Only a key prefix is displayed in the management UI after initial creation.

    The database is deployed in a private VPC subnet with no public internet access. Access is restricted to application servers via security groups.
  </Accordion>

  <Accordion title="Protection in transit">
    All API communication uses **TLS 1.2+** (HTTPS enforced). HTTP requests are rejected at the load balancer level.

    API keys are transmitted in request headers (`x-api-key`) over encrypted connections. We recommend storing keys in environment variables or secret managers — never in source code or version control.

    [Security best practices →](/docs/authentication#security-best-practices)
  </Accordion>

  <Accordion title="Rotation">
    We recommend rotating API keys every **3-6 months**. The rotation process requires no downtime:

    1. Generate a new API key
    2. Update your integrations to use the new key
    3. Verify the new key works correctly
    4. Revoke the old key

    Multiple active keys can coexist per organization, enabling zero-downtime rotation.
  </Accordion>

  <Accordion title="Revocation">
    API keys can be revoked immediately from the management UI (**Settings > API Keys**). Once revoked, all requests using that key return `401 Unauthorized` instantly. This action cannot be undone.

    [How to revoke an API key →](/docs/authentication#revoke-an-api-key)
  </Accordion>
</AccordionGroup>

***

## Data Protection

<CardGroup cols={2}>
  <Card title="Encryption in Transit" icon="lock">
    **TLS 1.2+** enforced on all endpoints. HTTP connections are rejected. All data between your systems and Dcycle is encrypted end-to-end.
  </Card>

  <Card title="Encryption at Rest" icon="database">
    **AES-256** encryption via AWS RDS for all database storage. S3 buckets use server-side encryption (SSE-S3/SSE-KMS) for uploaded files.
  </Card>

  <Card title="Data Residency" icon="globe">
    **EU-hosted** — all data is stored and processed in AWS `eu-west-1` (Ireland). No data leaves the European Union.
  </Card>

  <Card title="GDPR Compliance" icon="scale-balanced">
    Dcycle acts as **data processor** under GDPR. Data processing agreements (DPAs) are available on request.
  </Card>
</CardGroup>

<AccordionGroup>
  <Accordion title="Backups & recovery">
    Automated daily backups with **7-day retention** via AWS RDS automated snapshots. In case of accidental data deletion, contact [contact@dcycle.io](mailto:contact@dcycle.io) within 7 days with your organization ID and a description of the affected data.
  </Accordion>

  <Accordion title="Data deletion">
    Users can delete records at any time via the API or web application. Deleted records are removed from the primary database immediately. Backup copies are purged automatically after the 7-day retention window.
  </Accordion>

  <Accordion title="Infrastructure">
    Dcycle runs on **AWS** (Amazon Web Services) with the following architecture:

    * **Compute**: ECS Fargate (containerized, serverless)
    * **Database**: RDS PostgreSQL (encrypted, private subnet)
    * **Storage**: S3 (server-side encryption)
    * **Load balancing**: Application Load Balancer with TLS termination
    * **Network**: VPC with private subnets, no direct internet access to databases

    All infrastructure is managed with Infrastructure as Code (AWS CDK) for consistency and auditability.
  </Accordion>
</AccordionGroup>

***

## Access Control

Dcycle uses **organization-level access control** with role-based permissions. Every API request is scoped to a single organization via the `x-organization-id` header.

### Roles

| Role       | Access Level                              | Typical Use                      |
| ---------- | ----------------------------------------- | -------------------------------- |
| **Admin**  | Full access to all resources and settings | Organization owners and managers |
| **Member** | Create, read, update, and delete data     | Day-to-day data management       |
| **Viewer** | Read-only access                          | Auditors, external reviewers     |

### Organization Isolation

* Users can only access organizations where they have an active membership
* Each API request is scoped to a single organization — cross-organization data access is not possible without explicit membership
* Parent organizations (holdings) can view aggregated data from subsidiaries when configured

### Permission Model

Permissions are defined as `resource:action` pairs (e.g., `facilities:create`, `vehicles:read`). Available actions are: **create**, **read**, **update**, **delete**. Administrators can configure custom permission sets per role within their organization.

***

## Logging & Auditability

### What Is Logged

Every API request generates a structured log entry containing:

| Field               | Description                                                    |
| ------------------- | -------------------------------------------------------------- |
| **Timestamp**       | When the request was received                                  |
| **Method & Path**   | HTTP method and endpoint (e.g., `POST /v1/logistics/requests`) |
| **Status Code**     | Response HTTP status                                           |
| **Organization ID** | Which organization the request targeted                        |
| **Client IP**       | Source IP address                                              |
| **Correlation ID**  | Unique identifier for request tracing                          |
| **Process Time**    | Request processing duration                                    |

### User Attribution

All data created via API is linked to the user who owns the API key. Every record includes:

* `created_by` — the user who created the record
* `created_at` — timestamp of creation
* `updated_at` — timestamp of last modification

This ensures full traceability for compliance and audit purposes.

### Request Tracing

Each API response includes tracing headers that can be provided to Dcycle support for incident investigation:

```
X-Request-ID: unique-request-identifier
X-Correlation-ID: correlation-identifier
```

<Tip>
  Save these headers when debugging integration issues. Include them when contacting support to speed up investigation.
</Tip>

***

## Integration Patterns

The Dcycle API supports multiple integration approaches depending on your needs:

| Pattern       | Description                                  | Typical Use Case                       |
| ------------- | -------------------------------------------- | -------------------------------------- |
| **Manual**    | Ad-hoc API calls or web application use      | One-time data uploads, exploration     |
| **Scheduled** | Cron jobs, CI/CD pipelines, periodic scripts | Monthly reporting, data sync           |
| **Automated** | Event-driven, real-time API integrations     | ERP integration, continuous data feeds |

### Network Requirements

<Note>
  The Dcycle API is a **public HTTPS endpoint** (`api.dcycle.io`). No VPN, dedicated IP, firewall allowlisting, or special network configuration is required. Any environment with outbound HTTPS access (port 443) can connect.
</Note>

### Rate Limits

Default rate limits apply to all API keys:

| Limit            | Value                 |
| ---------------- | --------------------- |
| Per organization | 1,000 requests/minute |
| Per API key      | 50 requests/second    |

Rate limit headers are included in every response:

* `X-RateLimit-Limit` — maximum requests allowed
* `X-RateLimit-Remaining` — requests remaining in the current window
* `X-RateLimit-Reset` — time until the limit resets

Contact [contact@dcycle.io](mailto:contact@dcycle.io) if you need higher limits for your use case.

For detailed integration examples, see [Automation Overview](/guides/automation/overview) and [Reporting Pipelines](/guides/automation/reporting-pipelines).

***

## Incident Response

### Reporting Security Issues

Report security concerns to [**contact@dcycle.io**](mailto:contact@dcycle.io). Include as much detail as possible: what you observed, when it happened, and any relevant request/correlation IDs.

### Our Process

| Phase             | Description                                                            |
| ----------------- | ---------------------------------------------------------------------- |
| **Detection**     | Automated monitoring and alerting across all infrastructure components |
| **Triage**        | Security team assesses severity and impact                             |
| **Notification**  | Affected customers notified within **72 hours** per GDPR requirements  |
| **Resolution**    | Root cause analysis and remediation applied                            |
| **Post-incident** | Post-incident report provided to affected customers on request         |

<Info>
  Dcycle continuously monitors infrastructure health, application performance, and security events using AWS CloudWatch, automated alerting, and log analysis.
</Info>

***

## Next Steps

<CardGroup cols={3}>
  <Card title="Authentication" icon="key" href="/docs/authentication">
    Set up API keys, CLI login, and MCP integration
  </Card>

  <Card title="API Reference" icon="code" href="/api-reference/introduction">
    Explore all available endpoints
  </Card>

  <Card title="Support" icon="envelope" href="/docs/support">
    Contact our team for questions
  </Card>
</CardGroup>
