Security & Privacy

Intellitoggle is designed with security and privacy in mind. This page explains how feature flag evaluations, API requests, and developer integrations are secured.

1. Data Handling

  • Feature flag evaluations are stateless and performed securely.

  • Context attributes are only used for evaluation; they are not persisted.

  • Sensitive fields can be marked as privateAttributes to exclude them from logs and telemetry.

Example with private attributes
{
  "targetingKey": "user-123",
  "plan": "enterprise",
  "privateAttributes": ["email", "phone"]
}

2. Transport Security

  • All SDK and API communication is encrypted using TLS (HTTPS).

  • Development mode allows http://localhost for testing only.

  • Certificates must be valid and trusted in production deployments.

3. Authentication & Authorization

  • All SDKs and APIs require a valid API key or OAuth2 client secret.

  • Tokens are time-bound with configurable TTL (default: 60 minutes).

  • Automatic token refresh occurs with a 10-minute buffer before expiry.

  • Multi-tenancy is enforced via the X-Tenant-ID header on all requests.

headers: {
  'Authorization': 'Bearer $token',
  'X-Tenant-ID': tenantId,
}

4. Privacy Controls

  • Anonymous contexts are supported ("anonymous": true) for non-identifiable targeting.

  • Use privateAttributes to prevent sensitive data from being exposed in logs.

  • No Personally Identifiable Information (PII) is stored by default.

  • Attribute minimization is encouraged — send only what is necessary for flag evaluation.

5. Compliance

Intellitoggle is designed to support compliance with common standards:

  • GDPR: Developers control which attributes are transmitted.

  • SOC2: Operational and security best practices followed.

  • HIPAA (if applicable): Use caution with protected health information (PHI).

Future compliance certifications will be published on the Intellitoggle website.

6. Best Practices for Developers

  • Avoid sending raw PII (e.g., emails, phone numbers) as evaluation attributes.

  • Use privateAttributes for sensitive fields that must be sent.

  • Rotate API keys and OAuth client secrets regularly.

  • Use environment-specific credentials (development, staging, production).

  • Enable TLS everywhere outside local development.

7. Further Reading