Authr
Security & Trust

We hold your front door. Here's how we hold ourselves.

Identity infrastructure concentrates risk by design — so the bar for operating it has to be uncomfortable. This page is the uncomfortable bar, in public.

99.9994%
trailing 12-month uptime
$2.4M
bug bounty paid to date
24h
disclosure triage SLA
0
standing production credentials
Operating Principles

Four rules that don't bend

01

Assume breach, design for blast radius

Customer workloads run in isolated cells with independent control planes. Compromise of one cell is architecturally incapable of reaching another — isolation is enforced by infrastructure, not by code review.

02

No standing access, ever

Production access is just-in-time, scoped to a ticket, approved by a second engineer, gated on hardware keys, and expires in hours. Every session is recorded and independently audited.

03

Cryptography with a rotation habit

AES-256-GCM at rest, TLS 1.3 in transit, EdDSA signatures on every token. Signing keys live in HSMs and rotate quarterly with zero downtime — a rotation we publish, not just perform.

04

Evidence over assertion

Every claim on this page maps to an artifact: audit reports, penetration test summaries, uptime attestations, and our hash-chained audit fabric. Ask for the receipts — that's what they're for.

Compliance

Certifications your auditors already trust

Reports and attestations are available under NDA through your account team — most land in your inbox the same day.

SOC 2

Type II, audited annually since 2023

Request report →
ISO 27001

Certified, incl. 27017 & 27018

Request report →
HIPAA

BAA available on all enterprise plans

Request report →
PCI DSS

Level 1 Service Provider

Request report →
FedRAMP

Moderate — In Process (2026)

Request report →
GDPR

EU data residency, SCCs, DPA

Request report →
Cryptography

Boring algorithms, aggressive hygiene

We don't invent cryptography. We operate the standard primitives with unusual discipline — rotation schedules, hardware custody, and parameters reviewed by external cryptographers annually.

Data at restAES-256-GCM, per-tenant data keys, envelope encryption via HSM-backed KMS
Data in transitTLS 1.3 exclusively; mTLS on every internal service hop
Token signaturesEdDSA (Ed25519); RSA available for legacy relying parties
Key custodyFIPS 140-2 Level 3 HSMs; quarterly zero-downtime rotation
SecretsHardware-rooted, short-lived, never in environment variables
PasswordsArgon2id with per-credential parameters; breach-corpus screening
Data Residency

Your data, pinned to your map

EU customers run in EU cells with EU support access controls. Identity data never crosses a residency boundary — not for processing, not for failover, not for support.

  • Residency options: US, EU, UK, APAC, and sovereign-cloud cells
  • SCCs and a signed DPA standard on every contract
  • Support access is region-gated and customer-approvable
Responsible Disclosure

Find something? We pay for that.

Our public bug bounty has paid $2.4M since 2022, with a 24-hour triage SLA and no gag clauses. Researchers get credit, cash, and a direct line to the engineers who ship the fix.

security@authr.com · PGP available
Critical findings: median time-to-fix 9 hours
Subprocessors

A short list, on purpose

Every subprocessor is under DPA, reviewed annually, and listed here before it touches production. Customers are notified 30 days before any addition.

VendorPurposeRegion
Amazon Web ServicesCloud infrastructureGlobal (customer-pinned regions)
Google Cloud PlatformCloud infrastructure (EU cells)European Union
DatadogInfrastructure observabilityUnited States
StripeBillingUnited States
SnowflakeAnonymized analyticsUnited States

Put our CISO in front of your CISO

Security review calls include our security leadership, not just sales. Bring the hard questions — they're the fun part.

Enterprise only · No self-serve tier · Typical procurement to production: 6 weeks