Security

Trust is the product.

Statis is infrastructure for people who can't afford to get security wrong. Here's how we approach protecting your data, your policies, and your audit trail.

Encryption

  • In transit — all connections use TLS 1.3 with modern cipher suites. HTTP is redirected to HTTPS. HSTS is enforced.
  • At rest — all databases use AES-256 encryption. Backups are encrypted with separate keys.
  • Secrets — API keys, connector credentials, and webhook signatures are stored encrypted with envelope encryption.

Authentication & access

  • Password hashing with bcrypt and per-user salts
  • OIDC SSO support (Okta, Entra ID) on Enterprise plans
  • API keys are scoped per-environment and rotatable
  • Every console and API action is logged with actor, timestamp, and outcome

Audit trail

Every action that flows through Statis produces a tamper-evident receipt: SHA-256 of the action payload, outcome, policy evaluation, and timestamp. Receipts are written atomically with execution and cannot be modified after the fact. This is not a security feature — it's the product.

Isolation

  • Tenant-scoped data at every layer (DB, API, worker)
  • Row-level security on all multi-tenant tables
  • Separate connector credentials per tenant — no cross-tenant access
  • Dedicated infrastructure available on Enterprise plans

Vulnerability management

  • Automated dependency scanning on every commit (Dependabot)
  • Static analysis and secret scanning in CI
  • Quarterly third-party penetration tests (Enterprise)
  • Public disclosure via security@statis.dev

Incident response

In the event of a security incident that affects customer data, we will notify affected customers within 72 hours via email and in-product banner. Post-incident reports are published at status.statis.dev.

Compliance roadmap

  • SOC 2 Type II — audit in progress, report expected Q3 2026
  • HIPAA — BAA available on Enterprise plans
  • GDPR — DPA available on request, EU residency on Enterprise plans
  • ISO 27001 — planned for Q4 2026

Self-hosted

For customers who need full control, Statis is available as a self-hosted distribution via Docker Compose or Kubernetes. All data stays on your infrastructure. See the self-hosting guide.

Report a vulnerability

If you believe you've found a security vulnerability, please report it responsibly to security@statis.dev. We acknowledge reports within one business day and aim to triage within 72 hours. We appreciate your help keeping Statis secure.