🛡️

Our Security Commitment

Security is foundational to everything we build. Learn about our comprehensive approach to protecting your application configurations, data, and infrastructure.

🔐 Overview

Security-First Architecture

We've built App Config.json from the ground up with security as our core principle. Every layer of our platform is designed to protect your data.

🔒

End-to-End Encryption

All configuration data is encrypted in transit using TLS 1.3 and at rest using AES-256-GCM. Your secrets are never exposed.

🛡️

Zero Trust Model

Every request is authenticated and authorized. No implicit trust between services. Micro-segmentation across all infrastructure.

📋

Compliance Ready

Built to meet SOC 2 Type II, GDPR, HIPAA, and ISO 27001 requirements. Regular third-party audits ensure we stay compliant.

🔑

Key Management

HSM-backed key management with automated rotation. Customer-managed keys (CMK) available on Enterprise plans.

🚨

Threat Detection

24/7 security monitoring with automated anomaly detection. Immediate incident response by our dedicated security team.

🌐

DDoS Protection

Enterprise-grade DDoS mitigation with always-on protection. Our infrastructure absorbs and mitigates attacks automatically.

🔐 Encryption

Data Encryption Standards

Your configuration data is protected with military-grade encryption at every stage — in transit, at rest, and in use.

How We Protect Your Data

App Config.json employs multiple layers of encryption to ensure your configuration data remains confidential and tamper-proof. Here's our approach:

  • In Transit: TLS 1.3 with Perfect Forward Secrecy for all API communications
  • At Rest: AES-256-GCM encryption for all stored configuration data and backups
  • In Use: Confidential computing with encrypted memory enclaves for sensitive operations
  • Key Rotation: Automatic encryption key rotation every 90 days with zero downtime
  • Key Storage: HSM-backed key management via AWS KMS / Azure Key Vault
  • Secrets: Dedicated secrets vault with field-level encryption for sensitive values
🔒
// Encrypted Configuration Payload

{
  "encrypted_at": "2025-01-15T10:30:00Z",
  "algorithm": "AES-256-GCM",
  "key_version": "v3.2025.01",
  "payload": "U2FsdGVkX1+...encrypted...",
  "hmac": "sha256:a1b2c3...",
  "encrypted_fields": [
    "api_key",
    "database_url",
    "jwt_secret"
  ]
}
Compliance

Compliance & Certifications

We maintain rigorous compliance standards and undergo regular third-party audits to ensure your data is handled according to the highest security standards.

🏛️

SOC 2 Type II

Independent audit of our security, availability, and confidentiality controls.

● Certified
🇪🇺

GDPR

Full compliance with EU data protection regulations. Data Processing Agreement available.

● Compliant
🏥

HIPAA

BAA available for healthcare organizations. PHI data handled with extra safeguards.

● Compliant
🌍

ISO 27001

International standard for information security management systems.

● Pending
📦 Data Handling

How We Handle Your Data

Transparency about data handling is essential. Here's exactly what we do with your configuration data.

💾

Data Storage

Your configuration data is stored in geographically redundant data centers with automatic failover.

  • AWS us-east-1 & eu-west-1 (primary)
  • Automatic cross-region replication
  • Immutable backups retained for 30 days
  • Customer-controlled data residency (Enterprise)
🗑️

Data Deletion

When you delete data, we permanently erase it from all systems including backups.

  • Immediate soft delete with 7-day grace period
  • Cryptographic erasure after grace period
  • Backup purging within 30 days
  • Deletion certificate available on request
📊

Usage Analytics

We collect minimal, anonymized usage data to improve our service and detect anomalies.

  • API request counts (aggregated)
  • Error rates and latency metrics
  • No configuration content is analyzed
  • Opt-out available in account settings
🤝

Third-Party Sharing

We never sell your data. Limited sharing only with essential service providers under strict agreements.

  • Cloud infrastructure (AWS/Azure)
  • Monitoring & alerting services
  • All vendors are SOC 2 compliant
  • Full vendor list available on request
🔑 Access Control

Identity & Access Management

Granular access controls ensure only authorized personnel can view or modify your configurations.

  • 👥

    Role-Based Access Control (RBAC)

    Define custom roles with precise permissions. Pre-built roles for Admin, Editor, Viewer, and Auditor.

  • 🔐

    Single Sign-On (SSO)

    Enterprise SSO via SAML 2.0 and OIDC. Supports Okta, Azure AD, Google Workspace, and more.

  • 📱

    Multi-Factor Authentication (MFA)

    Required for all accounts. Supports TOTP, WebAuthn/FIDO2, and hardware security keys.

  • 📜

    Audit Logging

    Complete audit trail of all configuration changes, API calls, and user actions with immutable logs.

  • 🏷️

    IP Allowlisting

    Restrict access to your account by IP address or CIDR range. Webhook IP allowlisting also available.

rbac_policy.json
// App Config.json — RBAC Policy
{
  "roles": {
    "config_editor": {
      "permissions": [
        "config:read",
        "config:write",
        "config:deploy"
      ],
      "scope": "environment:production"
    },
    "auditor": {
      "permissions": [
        "config:read",
        "audit:read"
      ],
      "mfa_required": true
    }
  },
  "enforce_mfa": true
}
🚨 Incident Response

Security Incident Response

We maintain a structured incident response process aligned with industry best practices. Here's what happens when a security incident is detected.

1
T+0 minutes

Detection & Alerting

Automated monitoring systems detect anomalies. Alerts are sent to our 24/7 Security Operations Center (SOC) and on-call security engineers.

2
T+15 minutes

Initial Assessment

Security team triages the alert, determines severity level, and activates the appropriate incident response team. Preliminary containment measures are applied.

3
T+30 minutes

Containment

Immediate containment actions are taken to limit impact. Affected systems are isolated. Customer impact is assessed and documented.

4
T+1 hour

Customer Notification

For customer-impacting incidents, affected customers are notified via status page, email, and direct contact for Enterprise accounts.

5
T+24 hours

Investigation & Resolution

Deep investigation into root cause. Permanent fixes are developed, tested, and deployed. Systems are restored to full operation.

6
T+7 days

Post-Incident Review

Full post-mortem conducted. Lessons learned documented. Security controls updated to prevent recurrence. Report shared with affected customers.

Have Security Questions?

Our security team is happy to answer questions about our infrastructure, compliance, or help you with security reviews for your procurement process.

Contact Security Team →
📬 Contact

Get in Touch

Reach out to the appropriate team for your security-related needs.

🐛

Report a Vulnerability

Found a security issue? We appreciate responsible disclosure and offer a bug bounty program.

security@appconfig.json
📄

Legal & Compliance

Need a DPA, BAA, security questionnaire, or compliance documentation?

legal@appconfig.json
📰

Security Inquiries

General security questions, architecture reviews, or pre-sales security discussions.

security-info@appconfig.json