Security
Security is the product. This page is a working summary of how we protect customer data and how you can verify our claims.
Encryption
- In transit. TLS 1.3 everywhere. HSTS preload submitted. Public deployments score A+ on SSL Labs.
- At rest. Postgres on Neon (AES-256). Backups encrypted. No raw secrets stored — API keys are HMAC-hashed with a per-deployment signing secret.
Authentication
- API keys are 32-byte URL-safe random values, prefixed
sk_test_orsk_live_. We store only the hash; the raw key is shown once at creation. - Dashboard auth is delegated to Clerk, with optional SSO and 2FA at every plan.
- Internal endpoints validate Clerk JWTs against the JWKS endpoint on every request.
Webhook signing
Every webhook is signed with HMAC-SHA256 over {timestamp}.{payload}. The timestamp protects against replay (5-minute tolerance). Verify with Detecte.webhooks.verify().
PII redaction
When you mark fields as sensitive, Detecte HMAC-hashes them before persisting. Originals never reach our database. Policies that match by equality still work because the hash is deterministic per workspace.
Audit log
Every state-changing action — policy created, key revoked, agent re-tiered, incident resolved — is recorded in the audit log with actor, timestamp, and decision linkage. Logs are append-only; deletes are not exposed.
Data residency
US-East today. EU (fra1) and APAC (sin1) deployments are next on the roadmap; per-workspace region pinning is supported in the SDK.
Compliance roadmap
- SOC 2 Type II — in progress. Vanta engagement open; first audit window targeted within 12 months.
- GDPR — DPA available on request: security@detecte.xyz.
- HIPAA, ISO 27001, EU AI Act readiness — being scoped.
Responsible disclosure
Found something? Please email security@detecte.xyz. PGP key fingerprint will be published on this page once issued. We aim to triage within 48 hours and disclose in coordination.