Security posture, in detail.
How we build, host, and operate Appstrate. Honestly stated. Audit-ready.
Where we are today
We don't claim certifications we don't have. Current status:
How we secure the platform
Sandboxed execution
Every run in an isolated Docker container. No host access.
Credential isolation
Sidecar proxy pattern. Agents never see secrets.
AES-GCM at rest
32-byte key. Rotation supported. Envelope encryption on Enterprise.
TLS 1.3 in transit
HSTS preloaded. Modern ciphers only.
RBAC throughout
78 typed permissions. Every route gated.
SSRF hardening
Outbound URLs validated. No metadata leaks.
Rate limiting
Redis-backed. Per user, per IP, per route.
Audit logs
Every privileged action logged. Exportable on Enterprise.
Who touches your data
Full list, updated monthly. Changes announced 30 days in advance.
| Vendor | Purpose | Region |
|---|---|---|
| Cloudflare | CDN + edge hosting | Global / EU-only option |
| AWS | Storage (S3) | EU-west-3 (Paris) |
| Stripe | Billing | Ireland (EU) |
| Resend | Transactional email | EU |
| Sentry | Error monitoring | EU |
You can leave. With everything.
Data, agents, and configuration are all exportable via the API — applications, end-users, credentials (encrypted), and run history. Agents are packaged per the open AFPS spec, so they run on any compliant host. The platform itself is Apache 2.0 — no opaque dependency, no source-available trickery. If we disappear, your agents keep running.
Found a vulnerability?
Email [email protected]. GPG key available at /security/gpg.txt.
- · Ack within 2 business days
- · Remediation timeline within 10 business days
- · Public credit on Security page (opt-in)
- · No legal action against good-faith researchers
Request the full security package.
SOC 2 progress report, penetration test summary, SBOM, DPA — all under NDA.