authepy.
Trust & Compliance Tiers

SOC 2 Compliance Primitives.

A system layout mapping our infrastructure directly to the AICPA Trust Services Criteria for Security, Availability, and Confidentiality.

CC1 // Logical & Physical Access Enforced via Express Middleware

Tenant resources are isolated through rigorous API key evaluation (authenticateDeveloperKey). Secret access keys are generated via Node's native crypto.randomBytes and are one-way hashed into our PostgreSQL configuration ledger, ensuring zero plaintext visibility even for system administrators.

CC2 // Delivery Availability Systems Enforced via Failover Architecture

Our email dispatch layer is built for absolute resilience. The DeliverabilityEngine automatically shifts transaction routes between high-availability providers (AWS SES to Postmark) if outbound latency thresholds are breached, fulfilling strict uptime Service Level Agreements.

CC3 // Processing Confidentiality Enforced via Ephemeral Logs

All verification checks execute exclusively within transient memory. Our authepy_api_logs table strictly records metadata (timestamps, IP addresses, success/fail statuses) for 30-day retention policies. The actual numeric OTP codes are purposefully banned from application monitoring logs.