Statisv0.4 · beta
Try in 5 min →
§ 01Security

Trust is the product.

Statis is infrastructure for teams who can't afford to get security wrong. Here's how we protect your data, your policies, and your audit trail.

§ 02Encryption
  • In transit — all connections use TLS 1.3 with modern cipher suites. HTTP redirects to HTTPS. HSTS enforced.
  • At rest — databases use AES-256 encryption. Backups encrypted with separate keys.
  • Secrets — API keys, connector credentials, and webhook signatures stored encrypted with envelope encryption.
§ 03Authentication & access
  • Password hashing with bcrypt and per-user salts
  • OIDC SSO support (Okta, Entra ID) on Enterprise plans
  • API keys scoped per-environment, rotatable
  • Every console and API action logged with actor, timestamp, and outcome
§ 04Audit trail

Every action flowing through Statis produces a tamper-evident receipt: SHA-256 of the action payload, outcome, policy evaluation, and timestamp. Receipts are written atomically with execution and cannot be modified after the fact. This is not a security feature — it's the product.

§ 05Isolation
  • Tenant-scoped data at every layer (DB, API, worker)
  • Row-level security on all multi-tenant tables
  • Separate connector credentials per tenant — no cross-tenant access
  • Dedicated infrastructure available on Enterprise plans
§ 06Vulnerability management
  • Automated dependency scanning on every commit (Dependabot)
  • Static analysis and secret scanning in CI
  • Quarterly third-party penetration tests (Enterprise)
  • Public disclosure via security@statis.dev
§ 07Incident response

In the event of a security incident affecting customer data, we notify affected customers within 72 hours via email and in-product banner. Post-incident reports published at status.statis.dev.

§ 08Compliance roadmap
  • SOC 2 Type II — audit in progress, report expected Q3 2026
  • HIPAA — BAA available on Enterprise plans
  • GDPR — DPA available on request, EU residency on Enterprise
  • ISO 27001 — planned Q4 2026

Self-hosted

For customers who need full control, Statis is available as a self-hosted distribution via Docker Compose or Kubernetes. All data stays on your infrastructure. See the self-hosting guide.

Report a vulnerability

If you believe you've found a security vulnerability, report it responsibly to security@statis.dev. We acknowledge within one business day and triage within 72 hours. We appreciate your help keeping Statis secure.