How Aembit handles its own security

We build identity management software. We are held to the same standards we ask of your workloads — documented architecture controls, responsible disclosure, and an audit trail of our own access decisions.

How we document our security posture

SOC 2 Type II audit

Audit completed March 2026. Audit period: September 2025 – February 2026. Report available to customers evaluating Aembit for production use. Covers Security, Availability, and Confidentiality trust service criteria. Contact us to request the report.

Request report
Architecture controls

No credential database — Aembit issues ephemeral tokens and never stores credential material. All API communication uses TLS 1.3 minimum. Audit logs are encrypted at rest (AES-256). The control plane runs in isolated tenant namespaces with least-privilege access reviewed quarterly.

  • AES-256 encryption at rest
  • TLS 1.3 minimum in transit
  • Tenant namespace isolation
  • Zero stored credential material
  • Dependency scanning on every PR

Found a vulnerability?

Encrypt your report using our PGP key (available on the keyserver at keys.openpgp.org). Include reproduction steps, affected version, and impact assessment if you have one.

Our response SLA

We acknowledge reports within 24 hours and provide a severity assessment within 72 hours. Critical vulnerabilities are patched within 7 days. We coordinate disclosure timeline with the reporter.

Bug bounty

We offer bounties ranging from $250 (low) to $10,000 (critical) for verified vulnerabilities in the control plane, proxy sidecar, and attestation flow. We do not pursue legal action against good-faith researchers.

Running a vendor security review?

We can walk through our architecture controls, answer your security questionnaire, or schedule a technical deep-dive with the engineers who built the system. No sales deck involved.