Security & Compliance

Last reviewed: April 2026 | Status: Beta

Security Features

Transport Security

• TLS 1.3: All connections encrypted via Caddy reverse proxy
• HTTPS only: No plain HTTP accepted
• Certificate management: Automatic via Let's Encrypt

Cryptography

• Encryption at rest: AES-256-GCM for sensitive database fields
• API key storage: Hashed with bcrypt (never stored in plaintext)
• Webhook signatures: HMAC-SHA256 with constant-time comparison
• Authorization requests: Signed ES256 JWTs (ECDSA P-256)
• Credential verification: ES256 signature verification against PID Issuer JWKS
• Key binding: ES256 verification with nonce, audience, and freshness checks
• Memory safety: Written in Rust (no buffer overflows, no use-after-free)

Data Residency

• Location: Germany (on-premises)
• No cloud providers: Zero third-party access to data
• EU-only: No data transfer outside EU
• Schrems II compliant: No US jurisdiction exposure

Standards Compliance

Audit & Compliance

• Audit trail: Immutable logs for all verification events
• Data retention: Automatic cleanup of expired records
• GDPR compliant: Minimal data collection, deletion on request

Beta Limitations

• No credential revocation checking: Planned
• No formal certifications: ISO 27001, SOC 2 planned for 2027
• No penetration testing: Planned
• Solo developer: No formal security team yet

Your Responsibilities

• Validate webhooks: Always check the X-Pylon-Signature header
• Use HTTPS: For all webhook endpoints
• Secure API keys: Store in secrets manager, rotate periodically
• User consent: Obtain consent before initiating verification
• Monitor usage: Alert on unusual patterns

Responsible Disclosure

Found a vulnerability? Report privately to security@pylonid.eu

• Acknowledgment within 48 hours
• Status updates as investigation proceeds
• Public credit after fix (if desired)

Contact

• Security: security@pylonid.eu
• General: hello@pylonid.eu

Note: PylonID is developed and operated by a sole developer. Response times are best-effort.