Security

DataSonar is built for production use by teams that take security seriously. We treat customer data, API keys, and request logs as sensitive and apply standard industry controls to protect them.

Encryption

All traffic between your client and the API is encrypted in transit over TLS 1.3. Data at rest is encrypted using AES-256 on the underlying storage layer.

Authentication

API keys are 192-bit random tokens hashed with SHA-256 for storage — the raw key is never persisted on our side. Account passwords are hashed using argon2id with per-credential random salts.

Webhook signatures

Every webhook we deliver includes an HMAC signature header so your server can verify the request came from DataSonar. Stripe-style webhook verification helpers ship in our SDKs.

Compliance

SOC2 Type II is on the roadmap; documentation is available under NDA on request. GDPR and CCPA: we minimize the personal data we collect and offer customer data export and deletion on request.

Responsible disclosure

We welcome security reports. Please email security@datasonar.dev with details. We acknowledge reports within one business day and aim to resolve confirmed issues within 30 days.

See also our security.txt for the canonical contact record.

Status page

Live operational status is published at status.datasonar.dev.