Transparency
Where the bytes go, and who can see them.
Last updated 2026-05-21. Snapshot of the v0.2 line production deployment.
Operator
Where the bytes physically live
Every byte of every share — ciphertext, metadata, audit-chain entries, logs — sits on a single Linux VM in Falkenstein FSN1, Germany, leased from Hetzner Online GmbH. Hetzner is a wholly EU-incorporated company (Gunzenhausen, Bavaria) with no US parent — there is no US CLOUD Act exposure that AWS Frankfurt or Azure Germany retain via their US-incorporated ultimate owners.
DNS for slothbox.philipsloth.com points straight at the VM's public IP (Cloudflare is configured as DNS-only, NOT proxied — no Cloudflare edge sits in the data path). TLS terminates inside the VM at Caddy 2.8 with Let's Encrypt certificates issued via ACME HTTP-01. No US-jurisdiction CDN or WAF intermediates the bytes.
Sub-processors
Third parties that touch share data in the production data path:
| Hetzner Online GmbH | Compute + storage (host) | Germany · EU |
| Let's Encrypt (ISRG) | TLS certificate issuance only | USA |
Let's Encrypt is a US-jurisdiction nonprofit but it sees ZERO share data — only the domain name during the ACME challenge. The certificate-issuance path does not transit ciphertext, plaintext, or metadata.
Third parties that touch operator data (not share data):
| GitHub (Microsoft) | Source code hosting + CI runners | USA |
| Cloudflare DNS | Authoritative DNS records for the domain | USA |
GitHub sees the open-source code (already public). Cloudflare DNS sees the A-record IP and resolver queries from visitors — same as any other authoritative DNS.
Cookies, trackers, analytics
Zero of each. No first-party cookies are set by the marketing pages, no analytics script ships in the bundle, no third-party tag manager runs. The only state kept in your browser is what you opted into:
slothbox.myShares.v1in localStorage — the list of shares this device created plus the 32-byte revoke token for each (see /my-shares). This list lives only in your browser. The server stores the ciphertext and a hash of the revoke token — it has no concept of "shares created by this user" because v0.2 has no accounts. Cleared on browser data wipe.- Language preference under
slothbox.lang— picked up from the UI's en/da toggle.
Logs kept
Self-hosted observability stack (Prometheus, Grafana, Loki, Promtail) runs in the same VM. The logged fields:
- Request method, path, status code, duration, request-id
- Hashed sender IP (SHA-256 truncated, for rate-limiting only — never the raw IP) on share-create
- Coarse sender region (e.g. "EU-DK") on share-create, for receipt metadata
- Audit-chain events (share_created, share_destroyed, share_downloaded)
Logs are retained 30 days (rolling), audit-chain entries forever (they're the tamper-evidence anchor — see /security). Logs never contain plaintext content, decryption keys, passwords, or raw IPs.
Audit status
| libsodium (browser primitives) | Ongoing | Audited upstream (NCC Group + others) |
| age (asymmetric, v1.0+) | 2022 | Audited upstream (NCC Group) |
| SlothBox integration code | — | Not yet — external review is a v1.0 hard gate |
| API gateway authn/z + rate limit | — | Not yet pen-tested |
| Postgres RLS policies | — | Not yet pen-tested |
Until v1.0 ships with the external integration audit under /audits/, SlothBox is suitable for portfolio review and personal experimentation only. The README and SECURITY policy preserve this gap explicitly.
How to verify any of the above
The source is public — every claim on this page is grounded in something you can inspect:
- DNS:
dig slothbox.philipsloth.com A— resolves to the Hetzner VM's public IP, not a Cloudflare edge - TLS:
openssl s_client -connect slothbox.philipsloth.com:443 -servername slothbox.philipsloth.com— issuer is Let's Encrypt ISRG Root, not Cloudflare - Cookies on a fresh visit:
document.cookiein DevTools — empty until you opt into/my-shares - Sub-processor list:
docker-compose.prod.ymllists every container in the data path