Last updated: 2026-05-26

Security & Data Residency

This page is the source of truth for how Sentinel handles customer data. We update it whenever our posture changes.

Data residency

Customer data — tenants, API keys (hashed), approval records, audit events, webhook endpoints, billing state — is stored in Railway's us-east region (Northern Virginia, AWS). We do not currently offer EU residency; if you need EU-only data location, email us before purchase.

TLS termination happens at Vercel's global edge for api.pauseapi.app and app.pauseapi.app — this is connection-level only; request bodies flow through Vercel without storage.

Encryption

At rest: Postgres and Redis storage on Railway are encrypted at rest (AES-256, AWS-managed).

In transit: All inbound and outbound HTTP traffic uses TLS 1.2 or higher. HSTS is enabled on all public hosts.

API keys: Stored as SHA-256 hashes only. Raw values are shown to you ONCE on creation. We cannot recover a lost API key — use the magic-link recovery flow at app.pauseapi.app/recover to rotate.

Approval and webhook tokens: HMAC-SHA256 signed with per-tenant or per-endpoint secrets. Verifiable offline.

Access controls

  • API access requires a per-tenant Bearer API key
  • Dashboard access requires the same API key (paste at login)
  • Admin endpoints require a separate operator-only token (ADMIN_TOKEN)
  • Magic-link approve/reject tokens are scoped to one action and expire with the approval's timeout_seconds
  • SSO via SAML/OIDC: planned for Q3 2026 (ADR roadmap available under NDA)

Audit log

Every state change (approval created, decided, webhook delivered, api key issued/revoked) is appended to a hash-chained immutable log. Each event includes prev_hash and event_hash (SHA-256) — chain integrity can be verified offline by recomputing sha256(prev_hash + canonical_json(payload)).

Cryptographic timestamping (RFC 3161) of each audit event is on the Phase 2 roadmap.

Vulnerability handling

Reporting path: email security@regengine.co. See each SDK / repo's SECURITY.md for severity SLAs.

  • Critical: 24 h acknowledgment / 72 h fix target
  • High: 48 h ack / 7-day fix target
  • Medium / Low: graded targets

We support coordinated disclosure and credit reporters in release notes (or remain anonymous on request).

Certifications

Sentinel does not currently hold SOC 2 / ISO 27001 / HIPAA / FedRAMP certifications. We are in active preparation for SOC 2 Type I (Q4 2026 target). Customers who need a certification today should hold for that issuance, or engage with us under a NDA for evidence of our control set.

Penetration testing

We engage external penetration testers annually starting Q3 2026. Reports are available under NDA to Pro and Enterprise customers.

Incident response

We maintain an internal incident-response runbook (available under NDA). We commit to:

  • Status page update within 30 minutes of detection
  • Customer email update within 2 hours for any Sev1 affecting their data
  • Public postmortem within 5 business days for any Sev1

Data retention & deletion

Approval records, audit events, and webhook delivery history are retained for the duration of the tenant's account. On account deletion (or via API key revoke + tenant close request), all tenant data is purged within 30 days. Stripe transaction records and our financial accounting are retained as required by tax / financial law (7 years).

Subprocessors

See the subprocessor list for every third-party vendor that processes customer data, with their DPA links and notification-on-change policy.

Security questions or DPA requests: email security@regengine.co.