Security we
can show you.

HMAC-SHA256 on every wire. AES-256-GCM at rest. Keys rotated every 15 minutes. SOC 2 Type II audited annually. You can read our pen-test report from our CISO's inbox by asking for it.

SOC 2 Type II GDPR-ready Annual pen-test
Request pen-test report Talk to security →
Crypto primitivesFIPS 140-3
TransitTLS 1.3 · X25519
API signingHMAC-SHA256
Body encryptionAES-256-GCM
Key rotation15 minutes
Replay window±90 seconds
Key custodyAWS KMS · HSM-backed
Per-site CMKYes · isolated
Cert pinningHPKP · 30-day
Audit logImmutable · hash-chained
01 · Compliance

Audited by people who
don't work here.

Current
SOC 2 Type II
Audited by Prescient Assurance. Last report: Jan 2026. Next: Jan 2027.
Current
GDPR
Frankfurt and Paris regions. DPA provided on request. No data leaves the EU if you pick eu-central.
In progress
ISO 27001
Scoped. Stage 1 audit Q3 2026. Certification target Q1 2027.
Evaluating
HIPAA BAA
For healthcare customers on Scale plan. Available on request; signed per-customer.
02 · Key rotation

Every key. Every 15 minutes.
Automatically.

Your HMAC signing key, your AES content-encryption key, and your KMS grant all rotate on a 15-minute tumbler. An attacker who captures a signed request has under a minute-and-a-half before the key is unreachable.

Rolling 90-minute window · site acme-shop.com
14:00 UTC
key_9f2c…a41b
14:15 UTC
key_e7d1…08f5
14:30 UTC
key_3b8a…92cc
14:45 UTC
key_71f5…3e2d
15:00 UTC
key_c4e0…7a19 ← current
15:15 UTC
pre-generating…
Each key is valid for exactly one window. A signed request with a key from two windows ago returns 401 Unauthorized · key_expired.
03 · Disclosure

Responsible disclosure,
paid quickly.

We run a private HackerOne program. Researchers get triage within 24 hours and payouts within two weeks of confirmation. We publish every disclosed vulnerability on our public changelog within 90 days of patch, with researcher credit.

Critical: $10,000 – $25,000
High: $3,000 – $8,000
Medium: $500 – $2,000
47 researchers paid in 2025
Recent disclosures
Public
CVE-2026-0117
patched Feb 03
Timing oracle in HMAC comparison · severity medium
CVE-2025-9142
patched Dec 22
Container escape via hostpath mount · severity high
CVE-2025-7103
patched Oct 14
SSRF in plugin update proxy · severity medium

Read the report. Then decide.

Full pen-test report, SOC 2 attestation letter, and DPA — sent within one business day.

Email security@ Or talk to a human →