Security
We welcome responsible disclosure. If you believe you have found a security issue in KeyCustody, please tell us.
Report a security concern
Email [email protected] with a description of the issue and steps to reproduce it. Please give us a reasonable opportunity to investigate and address the report before any public disclosure. We do not currently run a formal bug-bounty program.
Practices in place today
The summary below describes practices that are true today. KeyCustody does not claim any third-party security certification or attestation.
- Data is encrypted in transit.
- Each customer organization's data is isolated from every other organization's by construction — records are scoped to the organization that owns them.
- Activity logging is always on and cannot be disabled; sensitive actions are recorded for accountability.
- Custody, disclosure, and rotation events are recorded in append-only ledgers — history is corrected by adding new events, never by rewriting the record.
- By default, KeyCustody stores facts about a secret (what it controls, who is authorized, rotation history) rather than the secret value itself.