Security at APInguin
Last updated: July 5, 2026
Data protection
- Encryption in transit and at rest: all traffic is served over TLS; stored credentials and provider API keys are encrypted at rest, with optional per-tenant keys backed by AWS KMS for enterprise plans.
- Passwords are hashed with a modern memory-hard algorithm (scrypt) and are never stored or logged in plain text.
- Payment data is processed by Stripe; card numbers never reach our infrastructure.
Tenant isolation
APInguin is multi-tenant by design: every record is scoped to your workspace and every request is authorized against your session server-side. Scan pipelines, reports and integrations only operate on data belonging to your tenant.
Access control
- Role-based access with admin, operator and viewer roles per workspace.
- Enterprise SSO: SAML 2.0 and OIDC (Okta, Azure AD, Auth0, Google Workspace and others), including an SSO-only enforcement mode for claimed domains.
- Audit logging: administrative and security events are recorded in an append-only audit trail.
Application security
- Rate limiting with escalating lockouts on authentication endpoints, and target-keyed limits on verification codes so attackers cannot flood a victim by rotating IPs.
- CSRF protection, strict security headers (HSTS, frame denial, content-type sniffing protection) and a restricted CORS policy.
- Server-side request protections that block access to private networks and cloud metadata endpoints when fetching external content.
- Abuse controls on public endpoints: bot verification, per-IP and global usage caps.
AI data handling
Content is analyzed by third-party AI providers under enterprise API terms that exclude training on your data. We send only the public content being scanned, never your account credentials or billing details, and we record which model and provider produced every automated assessment for full traceability.
Responsible disclosure
If you believe you have found a security vulnerability in APInguin, please email security@apinguin.com with details and steps to reproduce. We commit to acknowledging reports promptly, keeping you informed of remediation progress, and not pursuing legal action against good-faith research that respects user privacy and avoids service disruption.