Encryption at rest
AES-256 at the database and object-store layer. Verdict payloads, signatures, and corpus snapshots are encrypted at rest. Keys are managed by Railway KMS with rotation policy aligned to the SOC 2 readiness program.
§ Security & trust
Built for audit, not for slogans.
A signed verdict only matters if the issuing infrastructure can be held to account. This page is the pre-answered procurement questionnaire — every question a security buyer asks before they sign.
SOC 2 Type 1
In progress
Target 2026-12-31
SOC 2 Type 2
Planned
Q3 2027
GDPR
Compliant
DPA available
Ed25519
Verdicts signed
Key etymolt-1779085662
Bug bounty
Open
security@etymolt.com
§ Data handling
What we collect. What we don't.
A verdict's surface area is small by design. The name being verified, the optional Nice class, and (if authenticated) the API key. We don't collect business context, customer lists, or competitive intel. The simpler the data we hold, the smaller the breach blast radius.
Encryption in transit
TLS 1.3 on every public-facing endpoint. HSTS preload-eligible (2-year max-age, includeSubDomains, preload). Internal service-to-service traffic on Railway is mTLS by default.
Verdict retention
Verdict permalinks at /v/{id} are append-only and retained indefinitely (this is the audit-log promise). Free-tier verdicts are anonymous — no user-account linkage. Paid-tier verdicts are linked to your account and exportable via GET /v1/verdicts.
PII handling
Etymolt is not designed to handle PII. Brand-name strings are not PII under GDPR or CCPA definitions. If a customer accidentally submits a personal name to /v1/verify, we will purge on request within 72 hours under our Data Subject Request process.
Backup & recovery
Database snapshots every 4 hours, retained 30 days. Cross-region backup to a second Railway region. Verdict signing keys are backed up offline in two-of-three Shamir's-Secret-Sharing custody.
Audit logs
Every API call is logged with caller identity, IP, timestamp, request hash, and response status. Logs are retained 18 months. Platform-tier customers can export their own audit log via GET /v1/audit on request.
§ Access & identity
Who can see what.
Production access is need-to-know. Customer data is not accessed by Etymolt staff except for support tickets you've explicitly opened. SSO and SCIM are roadmap items for the Platform tier.
Staff access
Production database access is restricted to two engineers under role-based access control with quarterly rotation review. All staff access is logged and surfaced in the audit log under actor: staff.
API key model
API keys are scoped (read-only / verdict-only / verdict-and-billing), prefixed (sk_live_ / sk_test_), hashed at rest, and revocable from the dashboard. Keys never appear in logs after creation.
SSO & SCIM
SAML/OIDC SSO and SCIM 2.0 are on the Platform-tier roadmap. Available on request for design-partner Platform customers today. Generally available H2 2027.
Multi-factor
TOTP and WebAuthn (passkeys) on every authenticated dashboard. Recovery via signed-email backup. 2FA enforcement at the org level is a Platform-tier feature.
§ Subprocessors
Every third party we depend on.
If a vendor sees your data — even briefly, even for delivery — they're listed here. Updated on each subprocessor addition with 30-day customer notice for material additions.
| Subprocessor | Purpose | Data category | Region |
|---|---|---|---|
| Railway | API + database hosting | all customer data | europe-west4 |
| Cloudflare | DNS + DDoS protection | request metadata | global edge |
| Sentry | error monitoring | stack traces only — no payloads | EU |
| PostHog | product analytics | event metadata | EU (paid tier) |
| Stripe | billing | billing details | US |
| Resend | transactional email | email + name | US |
| Anthropic / OpenAI / Google | cultural-tier-2 advisory panel | name strings only | US |
§ Pre-answered questionnaire
Security FAQ.
Do you have SOC 2? +
SOC 2 Type 1 is in progress — target completion 2026-12-31, audit firm engaged via Vanta. Type 2 follows in Q3 2027. Until Type 1 lands, we ship a customer-facing security questionnaire pre-answered (this page) and grant Platform-tier customers read-only access to the in-progress Vanta dashboard on request.
Are you GDPR compliant? +
Yes. We sign a DPA on customer request — email legal@etymolt.com. Etymolt processes minimal personal data (account email, billing details, IP for rate-limiting). Brand-name strings are not PII under Article 4(1). Data Subject Requests are honored within 30 days; emergency purges within 72 hours.
Where is data stored? +
Primary region is Railway
europe-west4 (Eemshaven, Netherlands). Cross-region backup to us-west2. EU-only data residency is available on Platform tier — billing details continue to flow through Stripe US under their EU-US Data Privacy Framework registration.What's your incident response process? +
Detection via Sentry + Better Stack uptime + manual customer reports. On-call rotation is two engineers. Initial response within 30 minutes for P0. Status page updated within 5 minutes of confirmed customer impact. Post-incident writeup published within 14 days at /status, blameless format, no marketing varnish.
Do you have a bug bounty program? +
Yes. Report responsibly to security@etymolt.com with PGP encryption to
0x1779085662 (key on keybase). Severity bands: P0 (auth bypass, signing-key compromise) $5,000–$15,000 · P1 (data leak, IDOR) $1,000–$5,000 · P2 (XSS, CSRF) $200–$1,000 · P3 (low) acknowledgment. We respond within 72 hours and credit researchers in this changelog with consent.Do you pen-test? +
Annual external penetration test starting Q1 2027 (aligned to SOC 2 Type 2 readiness). Findings are remediated within 30 days for critical, 90 days for high. Executive summary letter available to Platform-tier customers on request.
What happens to my data if I cancel? +
Account-linked verdicts and dashboard data are retained 90 days for re-activation, then purged on the 91st day. Verdict permalinks at
/v/{id} are retained indefinitely as part of the audit-log promise (they're append-only and form the integrity claim of the protocol). You can request earlier purge by emailing legal@etymolt.com.How do I report a security issue urgently? +
Email security@etymolt.com with subject
[URGENT]. For active in-flight compromise, also CC tariq@etymolt.com directly. We acknowledge urgent reports within 4 hours during US/EU business hours, 24 hours otherwise.§ Get in touch
Buyers, security teams, researchers.
Security
Vulnerability disclosure, incident reports, bug bounty submissions. PGP key on Keybase.
Legal & DPA
Data Processing Agreement, vendor questionnaires, DPA signature requests.