Trust center

Your data, your customers, our obligation.

Security and compliance posture, in detail. Email [email protected] for SOC 2 reports, pen test summaries, or signed DPAs.

Security architecture

🔐 Encryption

TLS 1.3 in transit. AES-256-GCM at rest. Private keys: per-tenant isolation via Cloudflare KV metadata. Customer keys: self-custody option.

🪪 Identity

PASETO v4.public with Ed25519. Open IETF-aligned standard. No JWT alg-none disasters possible.

📜 Audit chain

Append-only Merkle-chained audit log. Tamper-evident. Compliance & Audit Agent verifies chain every 10 min.

🛡 Infrastructure

Cloudflare Workers + D1 + KV + R2. DDoS-mitigated by default. SOC 2 Type II underlying. No public IPs.

Compliance roadmap

Framework	Status	Target
GDPR (EU)	Compliant	Live
CCPA (California)	Compliant	Live
SOC 2 Type I	In progress	Q4 2026
SOC 2 Type II	Planned	Q2 2027
PCI DSS	Stripe-delegated	Live (via Stripe)
DPF (EU-US)	Planned	Q4 2026

Disclosure policy

Vulnerability reports: email [email protected] with details + proof-of-concept. Acknowledged within 24h. Critical issues triaged within 4h. We do not run a paid bug bounty yet but we will publicly credit + send swag for confirmed issues.