Last updated: 2026-05-26
Security & Data Residency
This page is the source of truth for how Sentinel handles customer data. We update it whenever our posture changes.
Data residency
Customer data — tenants, API keys (hashed), approval records, audit events, webhook endpoints, billing state — is stored in Railway's us-east region (Northern Virginia, AWS). We do not currently offer EU residency; if you need EU-only data location, email us before purchase.
TLS termination happens at Vercel's global edge for api.pauseapi.app and app.pauseapi.app — this is connection-level only; request bodies flow through Vercel without storage.
Encryption
At rest: Postgres and Redis storage on Railway are encrypted at rest (AES-256, AWS-managed).
In transit: All inbound and outbound HTTP traffic uses TLS 1.2 or higher. HSTS is enabled on all public hosts.
API keys: Stored as SHA-256 hashes only. Raw values are shown to you ONCE on creation. We cannot recover a lost API key — use the magic-link recovery flow at app.pauseapi.app/recover to rotate.
Approval and webhook tokens: HMAC-SHA256 signed with per-tenant or per-endpoint secrets. Verifiable offline.
Access controls
- API access requires a per-tenant Bearer API key
- Dashboard access requires the same API key (paste at login)
- Admin endpoints require a separate operator-only token (
ADMIN_TOKEN) - Magic-link approve/reject tokens are scoped to one action and expire with the approval's
timeout_seconds - SSO via SAML/OIDC: planned for Q3 2026 (ADR roadmap available under NDA)
Audit log
Every state change (approval created, decided, webhook delivered, api key issued/revoked) is appended to a hash-chained immutable log. Each event includes prev_hash and event_hash (SHA-256) — chain integrity can be verified offline by recomputing sha256(prev_hash + canonical_json(payload)).
Cryptographic timestamping (RFC 3161) of each audit event is on the Phase 2 roadmap.
Vulnerability handling
Reporting path: email security@regengine.co. See each SDK / repo's SECURITY.md for severity SLAs.
- Critical: 24 h acknowledgment / 72 h fix target
- High: 48 h ack / 7-day fix target
- Medium / Low: graded targets
We support coordinated disclosure and credit reporters in release notes (or remain anonymous on request).
Certifications
Sentinel does not currently hold SOC 2 / ISO 27001 / HIPAA / FedRAMP certifications. We are in active preparation for SOC 2 Type I (Q4 2026 target). Customers who need a certification today should hold for that issuance, or engage with us under a NDA for evidence of our control set.
Penetration testing
We engage external penetration testers annually starting Q3 2026. Reports are available under NDA to Pro and Enterprise customers.
Incident response
We maintain an internal incident-response runbook (available under NDA). We commit to:
- Status page update within 30 minutes of detection
- Customer email update within 2 hours for any Sev1 affecting their data
- Public postmortem within 5 business days for any Sev1
Data retention & deletion
Approval records, audit events, and webhook delivery history are retained for the duration of the tenant's account. On account deletion (or via API key revoke + tenant close request), all tenant data is purged within 30 days. Stripe transaction records and our financial accounting are retained as required by tax / financial law (7 years).
Subprocessors
See the subprocessor list for every third-party vendor that processes customer data, with their DPA links and notification-on-change policy.
Security questions or DPA requests: email security@regengine.co.