Sub-processors
These vendors process data on our behalf. We review each one against the same security standards we apply to our own service.
| Vendor | Purpose | Data | Region | DPA |
|---|---|---|---|---|
| Supabase | Authentication, Postgres database (users, API keys, manifests metadata) | Email, OAuth identity, API key metadata, manifest records | AWS us-east-1 (US); EU add-on available on Enterprise | View ↗ |
| Vercel | Web hosting (hashproof.ai), analytics, edge caching | Anonymized page-view metrics, request logs, static assets | Global edge; primary iad1 (US-East) | View ↗ |
| Cloudflare | DNS, WAF, DDoS protection for hashproof.ai and api.hashproof.ai | Request IP, URL, TLS handshake metadata | Global edge network | View ↗ |
| Upstash | Redis-backed rate limiting and ephemeral session data | API key identifier, per-minute request counters | AWS us-east-1 (US) | View ↗ |
| Railway | Application container hosting for the Hashproof API | Runtime logs, request metadata | us-west2 (US) | View ↗ |
Certifications & attestations
- SOC 2 Type I — in progress, target Q3 2026. Type II planned for 2027.
- ISO 27001 — planned Q1 2027.
- GDPR & CCPA — compliant by design. DPA available on the Enterprise tier.
We do not display badges for certifications we have not earned. When SOC 2 Type II is issued, this section updates with the report URL.
Data flow
- Client sends a request to
api.hashproof.aiover TLS 1.3. Cloudflare terminates TLS, applies WAF + DDoS rules. - Request is forwarded to the Hashproof API container on Railway (us-west2). The container validates the API key or Supabase session and consults Upstash for rate-limit state.
- Manifest payloads are stored in Supabase Postgres with per-tenant row isolation and optional IPFS CID storage.
- Every hour, the Merkle root of new manifests is anchored to Base L2 for tamper-evidence. The anchor transaction hash is available via
/v1/manifests/:id/proof.
Encryption
- At rest: AES-256 (Postgres + object storage). Per-tenant encryption keys on Scale and Enterprise.
- In transit: TLS 1.3 for client-to-API; mutual TLS (mTLS) for federation between Hashproof nodes.
- Signing keys: software-backed Ed25519 on Free and Growth; managed HSM on Scale; bring-your-own HSM (AWS KMS, Azure Key Vault) on Enterprise.
Access control
- User auth: Supabase Auth with Google + GitHub OAuth and email/password. Session tokens are HttpOnly, refreshed automatically.
- API keys: SHA-256 hashed at rest; plain value shown to the user once at creation. Scope-limited; rate-limited per key.
- Internal access: least-privilege RBAC over production systems. Production access is logged and audit-reviewed weekly.
- Enterprise: SSO via SAML/OIDC, SCIM provisioning, custom role mapping.
Audit logs
Scale and Enterprise tiers export security-relevant events (API key create/revoke, sign-in, manifest signing) to JSON or webhook targets. Retention: 90 days on Scale, 2 years on Enterprise, with optional S3 export for longer horizons.
Vulnerability disclosure
Report security issues to security@hashproof.ai. We acknowledge reports within 2 business days and commit to a status update every 5 business days until resolution.
PGP fingerprint (placeholder — replace before public launch)
C2PA 2026 HPRF PGPKEY XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXXMachine-readable policy: /.well-known/security.txt
Backups & DR
- Database: Point- in-time recovery with 7-day window (Free/Growth), 30-day (Scale), 90-day (Enterprise).
- Object storage: 11-nines durability (S3 Standard).
- RPO: 5 minutes. RTO: 1 hour for Scale and above.
GDPR & DPA
Our standard DPA is available on the Enterprise tier; drop a line to legal@hashproof.ai. EU residency (Frankfurt + Dublin) is the default for Enterprise customers with EU-origin data.
See also: Privacy Policy · Terms of Service
Recent disclosures
No security incidents disclosed to date. When we have one, it appears here and on the status page.