Security
Infrastructure
Data in Transit
All data is encrypted in transit using TLS 1.3:
- API requests and responses
- Bundle uploads and downloads
- SDK communication
- Dashboard access
Data at Rest
All data is encrypted at rest using AES-256:
- JavaScript bundles on the CDN
- Database records
- API keys and secrets
- Analytics data
Hosting
- AWS with SOC 2 compliant infrastructure
- Multi-region deployment for high availability
- Automated backups with point-in-time recovery
- DDoS protection via Cloudflare
Application Security
Authentication
- API keys use cryptographically secure random generation
- Dashboard uses OAuth 2.0 with PKCE (a secure login flow that prevents token interception)
- Session tokens expire after 24 hours of inactivity
- Two-factor authentication (2FA) available
Authorization
- Role-based access control (RBAC) for team members
- Per-app access restrictions
- API key permissions (read, write, admin)
- Deployment keys have read-only access
tip
Always assign the most restrictive role that lets a person do their job. See Team Management for role details.
Bundle Security
Hash Verification
Every bundle has a SHA-256 hash computed at upload time. The SDK verifies the hash after downloading and applying patches. If the hash does not match, the update is rejected.
Bundle Signing (Optional)
For additional security, enable RSA bundle signing:
- Sign bundles with your private key during publishing
- Verify signatures with your public key in the SDK
- Prevents unauthorized code execution even if the CDN is compromised
See Bundle Signing for setup instructions.
info
Hash verification is always active and cannot be disabled. Bundle signing adds an extra layer of trust on top.
Vulnerability Reporting
If you discover a security vulnerability, report it responsibly:
- Email: security@swiftpatch.io
- Do not disclose publicly until we have investigated and fixed the issue
We aim to acknowledge reports within 24 hours and provide a fix timeline within 72 hours.
Compliance
- SOC 2 Type II -- in progress
- GDPR -- data processing agreements available
- HIPAA -- available on Enterprise plans with BAA (Business Associate Agreement)
- App Store Guidelines -- compliant with Apple and Google OTA update policies
Best Practices
- Rotate API keys regularly -- do not let keys go stale
- Use minimum permissions for API keys
- Enable bundle signing for production apps
- Enable 2FA for all team members
- Monitor audit logs in the dashboard
- Keep the SDK updated for the latest security patches