KeyStack
Start free

Security

Last updated: 15 May 2026

We treat security as a foundation, not a feature. This page is a public summary of how we operate; the full security documentation is available under NDA.

Application security

  • Argon2id password hashing with OWASP-recommended parameters.
  • TOTP 2FA available on every account, mandatory for super-admins.
  • HMAC-SHA256 request signing on every public API call, with timestamp + nonce replay protection.
  • AES-256-GCM encryption at rest for sensitive secrets (API key plaintexts, TOTP secrets).
  • Tenant isolation enforced by a Prisma extension that auto-injects organizationId on every query — defence in depth even if a controller forgets to filter.
  • CSP, HSTS, X-Frame-Options and a sensible Referrer-Policy set on every response.

Infrastructure

  • TLS 1.3 everywhere, including internal service-to-service.
  • Database connections over TLS with verified certificates.
  • Production deployments are immutable and require code review + green CI to merge.
  • Secrets live in a managed secret store, never in source control.
  • Hourly point-in-time recoverable database backups.

Operational practices

  • Annual third-party penetration test.
  • Quarterly internal access reviews for production data.
  • All employees use phishing-resistant 2FA on company accounts.
  • Incident response runbook with named on-call.

Responsible disclosure

We welcome reports from security researchers. Please email security@keystack.dev with details. We aim to:

  1. Acknowledge within 24 hours.
  2. Provide a remediation plan within 5 business days.
  3. Credit you publicly (if you wish) once the issue is patched.

Please don't run automated scanners against production beyond gentle low-volume probes — we'd rather hear about findings than have your IP throttled.