Security

We welcome responsible disclosure. If you believe you have found a security issue in KeyCustody, please tell us.

Report a security concern

Email [email protected] with a description of the issue and steps to reproduce it. Please give us a reasonable opportunity to investigate and address the report before any public disclosure. We do not currently run a formal bug-bounty program.

Practices in place today

The summary below describes practices that are true today. KeyCustody does not claim any third-party security certification or attestation.

  • Data is encrypted in transit.
  • Each customer organization's data is isolated from every other organization's by construction — records are scoped to the organization that owns them.
  • Activity logging is always on and cannot be disabled; sensitive actions are recorded for accountability.
  • Custody, disclosure, and rotation events are recorded in append-only ledgers — history is corrected by adding new events, never by rewriting the record.
  • By default, KeyCustody stores facts about a secret (what it controls, who is authorized, rotation history) rather than the secret value itself.