🛡️ Security Architecture
Your data never touches our unencrypted storage. Every layer is designed with defense-in-depth.
TLS 1.3 Enforcement
All API traffic and web console sessions are protected with TLS 1.3. Certificate pinning and HSTS are enforced by default.
AES-256-GCM Encryption
Configuration payloads are encrypted client-side or server-side using unique per-tenant keys. Keys are rotated automatically every 90 days.
Tenant-Scoped Storage
Strict logical and physical isolation between customer environments. No cross-tenant data leakage is possible at the database or storage layer.
✅ Compliance & Certifications
We maintain rigorous compliance standards to meet enterprise and regulatory requirements.
SOC 2 Type II
Annually audited controls for security, availability, and confidentiality.
GDPR Ready
Full data processing agreements, right to erasure, and EU data residency options.
CCPA / CPRA
Transparent consumer data practices and opt-out mechanisms for US customers.
ISO 27001
International standard for information security management systems.
HIPAA BAA
Business Associate Agreements available for healthcare configuration use cases.
Vault / KMS
Optional BYOK (Bring Your Own Key) via AWS KMS, Azure Key Vault, or HashiCorp Vault.
🔑 Identity & Access Management
Granular control over who can view, edit, and deploy configurations.
SSO & SAML 2.0
Seamlessly integrate with Okta, Azure AD, OneLogin, or PingIdentity. Enforce corporate authentication policies without managing passwords.
Role-Based Access Control (RBAC)
Predefined roles (Viewer, Editor, Admin, Auditor) plus custom policies. Enforce least-privilege access across projects and environments.
Multi-Factor Authentication
MFA required for all administrative actions. Supports TOTP, WebAuthn/FIDO2, and hardware security keys.
IP Allowlisting & Geo-Blocking
Restrict dashboard and API access to specific IP ranges or network blocks. Block traffic from high-risk regions.
| Feature | Starter | Pro | Enterprise |
|---|---|---|---|
| Basic RBAC | ✓ | ✓ | ✓ |
| Custom Roles | — | ✓ | ✓ |
| SAML SSO | — | ✓ | ✓ |
| SCIM Provisioning | — | — | ✓ |
| SCIM Provisioning | — | — | ✓ |
| IP Allowlisting | — | ✓ | ✓ |
📄 Data Privacy & Retention
You own your configuration data. We act as a processor, never a controller.
Data Ownership & Portability
All configuration data, audit logs, and environment variables belong to you. Export your complete dataset at any time in standard JSON format.
Retention & Deletion
Config snapshots are retained per your policy. Upon account closure, all data is cryptographically shredded within 30 days. We never sell or share your data.
GDPR & DPA
Execute a standard Data Processing Agreement instantly. We support data residency in US, EU, and APAC regions for compliance mapping.
Audit Logs
Every API call, dashboard login, and config change is immutably logged. Logs include actor identity, IP, timestamp, and diff of changes.
📡 Monitoring & Incident Response
Proactive threat detection and transparent communication when things matter most.
24/7 Threat Detection
Real-time anomaly detection for API abuse, credential stuffing, and unusual configuration changes. Automated rate-limiting and bot mitigation.
Incident Response Team
Dedicated security engineers on standby. Automated runbooks trigger within 60 seconds of detection. Full post-mortem transparency.
Bug Bounty Program
We partner with trusted vulnerability disclosure platforms. Responsible researchers are rewarded for identifying and reporting security flaws.
❓ Security FAQ
Quick answers for your security and compliance teams.
Absolutely not. All configuration data is encrypted at rest using AES-256-GCM with per-tenant encryption keys. Even our support staff cannot view raw configuration values without explicit, time-limited decryption tokens.
Encryption keys are automatically rotated every 90 days without service interruption. We also support Bring Your Own Key (BYOK) via AWS KMS, Azure Key Vault, or HashiCorp Vault for full customer-managed key lifecycle control.
Yes. Enterprise customers can use Private Link (AWS) or VNet Integration (Azure) to create private endpoints. This keeps configuration sync traffic entirely within your cloud network, never traversing the public internet.
We follow a documented incident response lifecycle: Detection → Containment → Eradication → Recovery → Post-Mortem. Customers are notified within 4 hours of confirmed impact. Full transparent reports are published post-resolution.
Have Security or Compliance Questions?
Our security team is ready to answer your questions, review your requirements, or schedule a technical deep-dive.
Or email us directly: security@appconfig.json