# Security at Apinizer > Effective 2026-04-01 Apinizer is built for banks, ministries, and defense organizations. The platform's security model — sovereign deployment, audit at the persistence layer, encrypted secrets, three-tier permissions — is the product, not a checkbox. --- ## Sovereign by default Apinizer runs entirely on the customer's Kubernetes cluster. - **No calls home.** The Worker (data plane) does not phone Apinizer. The Manager (control plane) does not phone Apinizer. Telemetry stays in the customer's cluster. - **Air-gap supported.** Enterprise customers run Apinizer in air-gapped clusters with no outbound network access at all. - **Rootless containers.** Apinizer images on DockerHub are rootless — reduced privilege footprint by default. --- ## Audit at the persistence layer Every write in the Manager goes through the audit aspect. Bypassing it is rejected at the framework level — not by convention. The audit log captures the actor, timestamp, before/after delta, and an optional reason. --- ## Encrypted secrets Sensitive fields are encrypted before they hit the database and decrypted only when the runtime needs them. This includes credentials, OAuth client secrets, JWT signing keys, and LDAP bind passwords. Encryption is keyed per environment; keys rotate without breaking in-flight tokens. --- ## Three-tier permission model - **System** — Platform admins, infrastructure, license - **Project** — Product or domain ownership - **Team** — Operators and developers within a project Every read, write, and deploy flows through the same permission check. APIops, the Manager UI, the Portal subscription approvals, and AI Gateway route changes share the same enforcement path. --- ## Standards alignment Apinizer's controls were designed to satisfy the standards regulated industries report against: - ISO 27001 — Information Security Management - SOC 2 — Controls audit (in progress) - PCI-DSS — Cardholder data protection (banking customers) - BDDK — Turkish banking regulator - KVKK / GDPR — Personal data protection - HIPAA — Healthcare PHI handling (when configured) - NIST 800-53 — Federal security controls (defense customers) --- ## Vulnerability disclosure We welcome responsible disclosure. If you believe you have found a vulnerability in the Apinizer platform or apinizer.com: - Email security@apinizer.com with steps to reproduce - Include the affected version (Open / Pro / Enterprise + release tag) - Use our PGP key (available on request) for sensitive disclosures We acknowledge reports within two business days, target a fix within 30 days for high-severity issues, and credit reporters in release notes unless they prefer to remain anonymous. --- ## Out of scope Customer deployments are operated by the customer. Vulnerabilities introduced by customer configuration, third-party policies, or the customer's own code (Groovy or JavaScript scripts in API Creator) are the customer's responsibility — though we are happy to advise. --- ## Contact - Security disclosures — security@apinizer.com - Customer security questions — through your account's named CSM (Enterprise) or support@apinizer.com - Customer Support Portal — https://support.apinizer.com/ --- ## Links - Products: https://apinizer.com/products - AI Gateway: https://apinizer.com/products/ai-gateway - Solutions: https://apinizer.com/solutions - Pricing: https://apinizer.com/pricing - Developers: https://apinizer.com/developers - Documentation: https://docs.apinizer.com/index-en - Blog: https://apinizer.com/blog - Contact: https://apinizer.com/company/contact © 2026 Apinizer. All rights reserved.