Trust center
One bookmark for everything compliance-relevant.
Security architecture, sub-processor list, legal agreements, and incident history — published in one place. Buyer evaluations and ongoing GDPR/DPA reviews can start here without an email chain.
Security
Architecture + posture →
Five pillars shipped today: scrypt-hashed API keys at rest, HMAC-signed webhooks, no-customer-data-access enforcement, EU-resident infrastructure, and customer-configurable egress per profile (SOCKS5 with UDP/QUIC/WebRTC, plus OpenVPN + WireGuard). See /trust/security-overview for the live posture across each pillar.
Sub-processors
Live list + regions →
Every organisation that processes customer data on Driftstack's behalf, with region, purpose, and transfer mechanism. Source of truth for Article 28(2) amendment notices; mirrored in DPA Annex 3.
Incident history
Past events + post-mortems →
Customer-impacting outages and security incidents, with timestamps, customer impact, root cause, and the remediation we applied. Live status badge above for current platform health.
Legal
DPA · Privacy · Terms · AUP →
Standard agreements ready to sign on the customer side: Data Processing Agreement (Article 28 + SCCs), Privacy Policy (Article 13–15 disclosures), Terms of Service, Acceptable Use Policy.
Compliance
Certifications + pen-test + disclosure →
Honest current state: certifications in place + in progress, pen-test access workflow, vulnerability-disclosure policy + safe-harbour, sub-processor change SLA, audit-log retention.
Security overview
Evaluator's checklist →
Every security claim mapped to the code path, test, or doc that backs it up. The page a prospect's CISO skims before scheduling a vendor review call.
Cumulative rig
Signal-by-signal methodology →
The full set of fingerprint signals Driftstack measures against the reference iPhone, with Stealth-Chromium-vs- Driftstack contrast values. The methodology behind the indistinguishability claim.
Quick reference
The questions buyer evaluations always ask.
- Where is data hosted?
- EU only. Compute (Hetzner Nuremberg), database (Neon Frankfurt), object storage (Cloudflare R2 EU jurisdiction). Full list at /trust/sub-processors.
- Do you see our destination URLs?
- No. Session traffic exits through your egress (the SOCKS5 / OpenVPN / WireGuard proxies you configure). Driftstack orchestrates the session; the proxy carries the bytes.
- Are API keys recoverable by staff?
- No. Keys are scrypt-hashed at rest. A database breach surfaces hashes, not keys. If a key leaks, rotate via the dashboard's 24-hour grace flow.
- How do we get a DPA on file?
- The DPA at /legal/dpa is pre-signed by Driftstack; counter-signing acceptance closes on the customer side. Standard SCCs apply for any non-EU transfer named in Annex 3.
- What's the incident-response SLA?
- Self-serve tiers operate without a contractual uptime SLA — we publish incidents at /trust/incidents and the live status above. Self-hosted SKUs and Enterprise tiers carry contractual SLA terms.
- How do we get a security questionnaire answered?
- Email [email protected] with the document; we'll fill it line-by-line. CAIQ / VSAQ / vendor portals all welcome.
Compliance review
Bring the questionnaire. We'll fill it.
CAIQ, VSAQ, custom enterprise vendor questionnaires — all welcome. Most answers come out of the pages linked above; the rest we write line-by-line within a working day.