We take security seriously. Bootnode is SOC 2 Type II certified and implements defense-in-depth across every layer of our infrastructure. Your API keys, data, and webhook payloads are protected by industry-leading security practices.
Bootnode has completed SOC 2 Type II certification, independently verifying that our systems and processes meet the highest standards for security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 report is available to enterprise customers under NDA.
All data is encrypted in transit using TLS 1.3 with modern cipher suites. Data at rest is encrypted using AES-256-GCM. Database backups, logs, and any stored blockchain data are fully encrypted. We enforce HSTS and certificate transparency for all public endpoints.
API keys are hashed using bcrypt before storage. We never store plaintext API keys in our database. Keys are displayed only once at creation time. You can restrict keys by IP address, HTTP referrer, and specific API methods. Key rotation is supported with zero downtime.
Every webhook delivery includes an HMAC-SHA256 signature in the X-Bootnode-Signature header, computed using a per-webhook signing secret. This allows you to cryptographically verify that webhook payloads originated from Bootnode and have not been tampered with in transit.
All API endpoints are protected by multi-layer rate limiting at the edge, application, and per-key levels. Our infrastructure is fronted by enterprise-grade DDoS protection capable of absorbing volumetric attacks exceeding 1 Tbps. Adaptive rate limiting automatically adjusts to abnormal traffic patterns.
Our infrastructure runs on hardened, purpose-built systems with minimal attack surface. All systems are patched within 24 hours of critical CVE disclosure. We use network segmentation, least-privilege IAM policies, and immutable infrastructure patterns. No engineer has standing access to production systems -- all access requires just-in-time approval with full audit logging.
We conduct annual third-party penetration tests covering our API endpoints, dashboard application, and infrastructure. Critical findings are remediated within 48 hours. Pentest reports are available to enterprise customers under NDA.
Automated dependency scanning runs on every pull request using Dependabot and Snyk. Critical vulnerabilities in dependencies are patched within 24 hours. We maintain a software bill of materials (SBOM) for all production services.
All employees use hardware security keys for authentication. Production access requires multi-party approval and is logged immutably. We enforce least-privilege access across all systems and conduct quarterly access reviews.
We maintain a documented incident response plan with defined severity levels, escalation paths, and communication procedures. All security incidents are reviewed in post-incident reviews. Critical incidents are communicated to affected customers within 24 hours.
API request logs are retained for 30 days on Growth plans and 90 days on Enterprise plans. Webhook delivery logs are retained for the same period. You can request deletion of your data at any time by contacting support.
In addition to SOC 2 Type II, we align our practices with the OWASP Top 10, CIS Benchmarks, and NIST Cybersecurity Framework. GDPR data processing agreements are available for customers operating in the EU.
We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue in Bootnode, please report it to us privately so we can address it before public disclosure.
Send vulnerability reports to security@bootnode.dev. Include a detailed description, steps to reproduce, and any proof-of-concept code. We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours.
We do not currently offer monetary bounties but will credit researchers in our security acknowledgments with their permission.
Our team is happy to discuss our security practices, provide SOC 2 reports, or answer compliance questions.