Security

Security is foundational at dploy.in — not an afterthought. Here's how we protect your applications and data.

Compliance & Certifications

🛡️

SOC 2 Type II

Annually audited for security, availability, and confidentiality controls.

🇪🇺

GDPR

Fully compliant with EU data protection regulations, with DPA available on request.

🔒

ISO 27001

Information security management system certified by an accredited body.

💳

PCI DSS

Payment card processing meets PCI DSS compliance via Stripe.

Infrastructure Security

Encryption in Transit

All traffic is encrypted using TLS 1.3. We enforce HTTPS for all endpoints with automatic certificate provisioning via Let's Encrypt. HSTS headers are enabled globally.

Encryption at Rest

All data at rest — including databases, backups, and logs — is encrypted with AES-256. Encryption keys are managed through a dedicated KMS with automatic rotation.

Network Isolation

Each customer's services run in isolated containers with dedicated network namespaces. Private networking between your services uses encrypted tunnels with no internet exposure.

DDoS Protection

Multi-layered DDoS mitigation at our edge network absorbs volumetric attacks. Application-layer protections include rate limiting, bot detection, and anomaly filtering.

Application Security

Authentication

Passwords are hashed with bcrypt (cost factor 12). OAuth 2.0 integration with GitHub and Google. Two-factor authentication (TOTP) available for all accounts.

API Security

API keys with scoped permissions. JWT tokens with short expiration and secure refresh rotation. Rate limiting per endpoint with configurable thresholds.

Secrets Management

Environment variables are encrypted at rest and injected at runtime. Secrets are never exposed in build logs or API responses. Audit trail for all secret access.

Our Security Practices

Penetration Testing

Annual third-party penetration tests by an independent security firm. Critical findings are remediated within 24 hours.

Vulnerability Management

Automated dependency scanning on every build. Container images are scanned for CVEs before deployment. Critical vulnerabilities patched within 48 hours.

Incident Response

24/7 on-call engineering team with documented incident response runbooks. Customers are notified within 1 hour of any data breach. Post-incident reviews published publicly.

Employee Access

Production access requires MFA and is limited to essential personnel. All access is logged and audited. Background checks for all employees handling customer data.

Backups

Automated daily backups for all managed databases with 30-day retention. Point-in-time recovery available. Backups are stored in a separate region from primary data.

Responsible Disclosure

Found a vulnerability? We appreciate responsible disclosure and offer bounties for qualifying reports. Please do not test against production accounts without permission.

Report a Vulnerability →

security@dploy.in · PGP key available on request