TLS 1.3. AES-256. Regional hosting. Documents auto-purged. OWASP Top 10 mitigations. Responsible disclosure program. What we do — and how to report a vulnerability.
TLS 1.3 in transit. AES-256-GCM at rest. Keys managed via cloud KMS with rotation every 90 days.
India: GCP Mumbai. EU/EEA: GCP Belgium. Africa + ME: GCP Johannesburg. No cross-region transfer without customer instruction.
Default 24 hours after API response delivery. Optional 5-minute purge per API key. Enterprise: custom retention or zero-retention.
Every release tested against OWASP Top 10. Web Application Firewall (WAF) in front of all endpoints. Quarterly penetration tests.
All API calls logged. All admin actions logged. Logs retained per regulatory requirement (90 days default, 7 years for Enterprise).
Role-based access in customer portal. Per-API-key scoping. Webhook signature validation. IP allowlisting for Enterprise.
If you discover a security vulnerability in any Abscode product, please report it to us privately so we can fix it. We commit to:
Email: security@abscode.com. PGP key available on request. Do NOT publicly disclose until we've shipped a fix.
Abscode is built to align with the following standards. Formal certifications are pursued as we scale.
Enterprise customers can request our SOC 2 Type I report, ISO 27001 SOA, recent penetration test summary, and vendor security questionnaire (SIG / CAIQ format). Contact enterprise@abscode.com.