Security & Privacy
IntelliToggle is designed with security and privacy in mind. This page explains how feature flag evaluations, API requests, and developer integrations are secured.
1. Data Handling
-
Feature flag evaluations are stateless and performed securely.
-
Context attributes are used for evaluation and should be minimized.
-
Sensitive fields can be marked as
privateAttributesto exclude them from logs and telemetry.
{
"targetingKey": "user-123",
"plan": "enterprise",
"privateAttributes": ["email", "phone"]
}2. Transport Security
-
All SDK and API communication is encrypted using TLS over HTTPS.
-
Development mode allows
http://localhostfor testing only. -
Certificates must be valid and trusted in production deployments.
3. Authentication and Authorization
-
All SDK and API access uses OAuth2 client credentials and time-bound access tokens.
-
Tokens are short-lived and refreshed automatically by the provider when needed.
-
Multi-tenancy is enforced via the
X-Tenant-IDheader on all requests.
headers: {
'Authorization': 'Bearer $token',
'X-Tenant-ID': tenantId,
}4. Privacy Controls
-
Anonymous contexts are supported with
"anonymous": truefor non-identifiable targeting. -
Use
privateAttributesto prevent sensitive data from being exposed in logs. -
No personally identifiable information should be sent unless it is required for evaluation.
-
Send only the attributes you need for flag evaluation.
5. Compliance
IntelliToggle is designed to support compliance-minded deployments, including GDPR and SOC2-oriented controls. If you handle regulated workloads, review your own data flows and retention policies before sending evaluation context.
6. Best Practices for Developers
-
Avoid sending raw PII such as emails or phone numbers as evaluation attributes.
-
Use
privateAttributesfor sensitive fields that must be sent. -
Rotate OAuth client secrets regularly.
-
Use environment-specific credentials for development, staging, and production.
-
Enable TLS everywhere outside local development.