
We hold your front door. Here's how we hold ourselves.
Identity infrastructure concentrates risk by design — so the bar for operating it has to be uncomfortable. This page is the uncomfortable bar, in public.
Four rules that don't bend
Assume breach, design for blast radius
Customer workloads run in isolated cells with independent control planes. Compromise of one cell is architecturally incapable of reaching another — isolation is enforced by infrastructure, not by code review.
No standing access, ever
Production access is just-in-time, scoped to a ticket, approved by a second engineer, gated on hardware keys, and expires in hours. Every session is recorded and independently audited.
Cryptography with a rotation habit
AES-256-GCM at rest, TLS 1.3 in transit, EdDSA signatures on every token. Signing keys live in HSMs and rotate quarterly with zero downtime — a rotation we publish, not just perform.
Evidence over assertion
Every claim on this page maps to an artifact: audit reports, penetration test summaries, uptime attestations, and our hash-chained audit fabric. Ask for the receipts — that's what they're for.
Certifications your auditors already trust
Reports and attestations are available under NDA through your account team — most land in your inbox the same day.
Boring algorithms, aggressive hygiene
We don't invent cryptography. We operate the standard primitives with unusual discipline — rotation schedules, hardware custody, and parameters reviewed by external cryptographers annually.
Your data, pinned to your map
EU customers run in EU cells with EU support access controls. Identity data never crosses a residency boundary — not for processing, not for failover, not for support.
- Residency options: US, EU, UK, APAC, and sovereign-cloud cells
- SCCs and a signed DPA standard on every contract
- Support access is region-gated and customer-approvable
Find something? We pay for that.
Our public bug bounty has paid $2.4M since 2022, with a 24-hour triage SLA and no gag clauses. Researchers get credit, cash, and a direct line to the engineers who ship the fix.
A short list, on purpose
Every subprocessor is under DPA, reviewed annually, and listed here before it touches production. Customers are notified 30 days before any addition.
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud infrastructure | Global (customer-pinned regions) |
| Google Cloud Platform | Cloud infrastructure (EU cells) | European Union |
| Datadog | Infrastructure observability | United States |
| Stripe | Billing | United States |
| Snowflake | Anonymized analytics | United States |

Put our CISO in front of your CISO
Security review calls include our security leadership, not just sales. Bring the hard questions — they're the fun part.
Enterprise only · No self-serve tier · Typical procurement to production: 6 weeks