Security

Last updated: January 2025

Security overview

Pakyas is built with security-first design principles. We use modern cryptography, strong defaults, and defense-in-depth to protect customer data and system integrity.

Application security

  • Memory-safe backend - Built entirely in Rust, eliminating entire classes of vulnerabilities like buffer overflows and use-after-free.
  • Stateless CSRF protection - HMAC-signed tokens with HKDF key derivation, safe across multiple instances.
  • Strong password hashing - Argon2id with secure parameters for password storage.
  • Encrypted secrets - Sensitive secrets are encrypted using XChaCha20-Poly1305.
  • Rate limiting - Authentication endpoints are protected against brute force attacks.
  • Content Security Policy - Strict CSP headers to mitigate XSS and injection attacks.

Infrastructure and network security

  • HTTPS enforced on all endpoints
  • Secure headers enabled (HSTS, X-Frame-Options, X-Content-Type-Options)
  • Secrets stored in environment-based configuration, not in source control
  • Database connections use TLS encryption

Data protection

  • Minimal data collection - we only store what's necessary for the service
  • No selling of user data to third parties
  • Data retention based on your plan limits
  • You can request data export or deletion at any time

See our Privacy Policy for full details on how we handle your information.

Availability and reliability

  • Multi-instance safe design - stateless components where possible
  • Monitoring and alerting on service health
  • Graceful degradation where applicable
  • Regular backups of customer data

Responsible disclosure

If you believe you've found a security vulnerability in Pakyas, please let us know. We appreciate responsible disclosure and will respond promptly.

Contact us at [email protected].

What we don't claim

We believe in transparency. Here's what Pakyas does not currently have:

  • Not SOC 2 certified (yet)
  • Not ISO 27001 certified (yet)
  • No formal bug bounty program (yet)

We're a small team building a focused product. As we grow, we'll pursue formal certifications where they make sense for our customers.

Questions?

If you have questions about our security practices, contact us at [email protected].