Data Residency
CTFFactory is built with data residency in mind, giving organizations confidence about where their data is stored and processed. This page describes the current hosting model, what data CTFFactory stores, and how workspace and tenant isolation is implemented.
Current Hosting Region
CTFFactory's primary infrastructure is hosted in Canada (Toronto, Ontario β ca-central-1 equivalent). All customer data at rest and the compute infrastructure powering challenge generation, CTF deployments, and the web application are located within Canadian borders.
This residency model is particularly relevant for:
- Canadian public sector and government organizations subject to the Privacy Act and PIPEDA/Bill C-27
- Organizations that must comply with provincial data sovereignty requirements (e.g., Quebec Law 25)
- Academic institutions under FIPPA or ATIPPA jurisdictions
Note: SOC 2 Type II certification is currently in progress. Existing customers may request a copy of the current SOC 2 readiness report and trust posture documentation by contacting
[email protected].
Data Residency Selection (Enterprise)
Enterprise plan workspaces can select their preferred data residency region at the time of account provisioning. Available regions are communicated during the enterprise onboarding process. Workspaces on Starter and Pro plans are hosted in the default Canadian region.
What Data CTFFactory Stores
| Data Category | Examples | Stored In |
|---|---|---|
| Account data | Name, email, hashed password, MFA configuration | Canada (encrypted at rest) |
| Workspace configuration | Settings, branding assets, custom domain, SSO config | Canada (encrypted at rest) |
| Challenge content | Generated challenge descriptions, files, Dockerfiles, flags | Canada (encrypted at rest) |
| CTF event data | Event settings, participant list, submissions, scoreboard | Canada (encrypted at rest) |
| Learning path data | Path definitions, card content, learner progress, evidence uploads | Canada (encrypted at rest) |
| Open Badge credentials | Signed badge assertions, issuance records | Canada (encrypted at rest) |
| Audit logs | Admin actions, login events, API key usage | Canada (retained 12 months) |
| Webhook delivery logs | Event payloads and delivery status | Canada (retained 30 days) |
| AI generation logs | Prompt context, generated outputs (for abuse detection) | Canada (retained 90 days) |
Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption keys are managed via a dedicated key management service within the same Canadian region.
Workspace and Tenant Isolation
Each CTFFactory workspace is a logically isolated tenant. Isolation is enforced at multiple layers:
Application Layer
All API requests and database queries are scoped to a workspace identifier. Row-level security policies on the primary database prevent any cross-workspace data access, even in the event of an application-level bug.
Compute and Deployment Layer
Deployed CTFd instances run in isolated containers with dedicated network namespaces. Each deployment receives its own namespace, preventing participants or the CTFd application from accessing resources belonging to another workspace's deployments.
Storage Layer
Challenge files, evidence uploads, and branding assets are stored in workspace-prefixed object storage paths with access policies that reject cross-workspace requests at the storage layer, independent of application logic.
Audit and Logging
Audit logs are workspace-scoped. An Owner or Admin of Workspace A cannot access the audit logs of Workspace B, even if the same user account is a member of both workspaces.
Data Deletion
When a workspace is deleted:
- All workspace data (challenges, CTF events, learning path records, member associations) is marked for deletion.
- Active deployments are stopped immediately.
- Object storage assets (files, images) are permanently deleted within 24 hours.
- Database records are permanently purged within 7 days.
- Audit logs are retained for the remainder of their 12-month retention period before deletion, in accordance with compliance obligations.
Individual users can request deletion of their personal account data by submitting a request to [email protected]. Account deletion is completed within 30 days in compliance with applicable privacy legislation.
Sub-Processors
CTFFactory uses a limited number of sub-processors to deliver the service (e.g., cloud infrastructure provider, email delivery service). A current list of sub-processors is available at https://ctffactory.io/legal/sub-processors. All sub-processors are contractually bound to process data only within approved regions and in accordance with CTFFactory's privacy obligations.