Security

Security is foundation, not feature.

Built from day one to pass enterprise security reviews. Here's what's under the hood, and what we're working on next.

Controls in production today

Encryption at rest

AES-256 for all customer databases. Keys managed via KMS with periodic rotation.

Encryption in transit

TLS 1.3 for every internal and external connection. Certificates managed by Let's Encrypt + ACME.

Multi-tenant isolation

Hard data boundaries at organization level. Every query is constrained to the active org from the JWT.

Federated identity

JWT RS256, public JWKS for verification. No shared secrets, no duplicated identity DBs.

Full audit trails

Every sensitive action is logged, who, when, which resource. Searchable, exportable.

EU data residency

Available for every product. Our European servers are fully isolated from other infrastructure.

Sovereign deployment

Private cloud or air-gapped on-premise for customers with strict residency requirements. Contact us.

GDPR rights built-in

Data export (Article 20) and deletion (Article 17) ship in every account. No ticket needed.

Compliance status, candidly

✓ means shipped today. ◐ means in progress with a target date. No "enterprise-ready" claims for things that haven't shipped yet.

Responsible vulnerability disclosure

If you discover a security vulnerability, we want to hear from you. Send details to contact@amargicreative.com. We'll respond within 48 hours with an acknowledgment + remediation timeline. Researchers who follow coordinated disclosure are credited on a public thanks page.

Need security documentation for vendor review?

Contact us, we provide security questionnaires, architecture documents, and sovereign-deployment details on request.

Contact uscontact@amargicreative.com