Cloudflare Security Layer

VULK uses Cloudflare for edge delivery, deploy hosting, WAF/DDoS protection, R2 assets, and parts of the generated-app runtime. Persistent application data lives in PostgreSQL through vulk-api-engine.

Architecture

Secrets Management

API keys and sensitive configuration are stored encrypted and injected into the runtime environment only when needed:

How It Works

1. You add secrets via the VULK dashboard (Secrets Manager)
2. Secrets are encrypted before storage
3. Stored as runtime environment variables for the deployed app/backend
4. Only the deployed runtime can access them
5. Never exposed in code, logs, or responses

Security Guarantees

• Encrypted at rest — AES-256 encryption
• Encrypted in transit — TLS 1.3
• Isolated per-project — Each deployment has its own secrets
• No plain text storage — Secrets are never stored unencrypted
• Automatic rotation — Update secrets without redeploying code

Data Locations

Cloudflare automatically routes static assets and edge traffic to the nearest edge location:

• 200+ data centers worldwide
• Sub-50ms latency from most locations
• Automatic failover if any location has issues

Compliance

Cloudflare maintains certifications for:

• SOC 2 Type II
• ISO 27001
• GDPR compliance
• PCI DSS (for payment data)

What This Means for You

When you deploy with VULK:

1. Your frontend and assets run at the edge - Fast for users everywhere
2. Your secrets are encrypted - Never exposed
3. Your data is protected - Enterprise security by default
4. You don't manage servers - Cloudflare handles infrastructure