Security & Compliance
Last reviewed: November 11, 2025 | Status: Beta
🔒 Beta Security Notice: PYLON is in active development. Use for testing only. Production security hardening planned for Q1 2026.
Current Security Features
Transport Security
- TLS 1.3: Automatic via Caddy reverse proxy
- HTTPS only: No plain HTTP accepted
- Certificate management: Automatic via Let's Encrypt
Data Protection
- Encryption at rest: AES-256-GCM for sensitive fields
- API key storage: Hashed with bcrypt (never plain-text)
- Webhook security: HMAC-SHA256 signatures
- Memory safety: Written in Rust (no buffer overflows)
- Automated backups: Daily database backups with 30-day retention
Data Residency
- Location: Vlotho, Germany (on-premises)
- No cloud providers: Zero third-party access to data
- EU-only: No data transfer outside EU
- Schrems II compliant: No US jurisdiction
Audit & Compliance
- Audit trail: All API calls logged with timestamps
- Data retention: 30-day automatic cleanup
- GDPR compliant: Minimal data collection, deletion on request
Beta Limitations
The following security features are planned but not yet implemented:
- Credential signature verification: Currently stubbed for testing (real verification Q1 2026)
- Rate limiting: Implemented but not enforced in beta
- Penetration testing: Planned for Q1 2026
- Formal certifications: ISO 27001, SOC 2 planned for Q2 2026
Standards Support
| Standard |
Status |
| OID4VP |
🔄 In Development |
| SD-JWT-VC |
🔄 In Development |
| ISO 18013-5 |
🔄 Planned (Q1 2026) |
Your Security Responsibilities
During beta testing, you should:
- Test data only: Do not use for production or real user data
- Verify webhooks: Always validate
X-Pylon-Signature header
- Use HTTPS: For your webhook endpoint (TLS 1.2+)
- Rotate API keys: Every 90 days recommended
- Monitor usage: Alert on unusual patterns
Incident Response
Security issues: Report to security@pylonid.eu
Response time: Best effort within 48 hours during beta
Production SLA: 24-hour response planned for Q1 2026
Responsible Disclosure
Found a vulnerability? Report privately to security@pylonid.eu
We commit to:
- Acknowledging receipt within 48 hours
- Status updates as needed
- Public credit after fix (if desired)
Roadmap
- Q4 2025: Monitoring and alerting
- Q1 2026: Real credential verification, production hardening
- Q2 2026: Penetration testing, ISO 27001 preparation
- Q3 2026: SOC 2 Type I certification
Contact
- Security & General:
security@pylonid.eu
- Privacy & Data:
privacy@pylonid.eu
- Legal:
legal@pylonid.eu
Note: All email addresses are operated by the sole developer. Response times during beta are best-effort.