Security

Authentication

Every sign-in uses a password plus a second factor. WebAuthn passkeys (hardware or platform) are mandatory for owner/admin roles. Sessions are stored in the database and can be revoked individually.

Step-up authentication

Sensitive actions (webhook secret rotation, withdrawals, enrolling a new passkey) trigger an additional WebAuthn challenge. No critical action proceeds without hardware-backed confirmation.

Encryption

TLS 1.3 everywhere. Data at rest is encrypted with AES-256-GCM. Keys live in HashiCorp Vault on our bare-metal stack. Quarterly rotation, annual audit.

Signed webhooks

HMAC-SHA256 over the raw request body. Anti-replay timestamp. One-click secret rotation with a 24-hour grace period. Exponential retries (5 attempts over 24 h), inspectable dead-letter queue from the backoffice.

Infrastructure

Bare-metal France (HostMyServers, Roubaix). BGP anycast 10 Gbit/s, L3/L4/L7 DDoS mitigation. Tier IV datacenter with 24/7 NOC. No US cloud, no AWS, no GCP. Zero foreign dependency.

Bug bounty program

We reward responsible disclosure. Scope, rules and payouts: /security/bug-bounty. Critical = up to €10,000.

Audits

• Annual external pentest (Synacktiv).
• SOC 2 Type II — audit Q4 2026.
• Halborn audit — gRPC runtime adapter.