For security & compliance teams

Auth that passes the audit.
Not auth that blocks it.

Bastionary was designed security-first. Tamper-evident logs, breach detection on every password, asymmetric JWT signing, and GDPR right-to-erasure — all out of the box.

Read the security overview → Request pentest report
Security controls

Your compliance checklist. Already done.

  • Tamper-evident audit log with SHA-256 chain

    Every auth event (login, logout, MFA, password change, token issue) is logged with IP, user-agent, device fingerprint, and risk score. Each entry hashes the previous — tampering is detectable by hash verification. SIEM-compatible JSON export.

  • HIBP breach detection on every password set

    Uses Troy Hunt's k-anonymity API — we send the first 5 characters of the SHA-1 hash, never the full hash or plaintext. If the password appears in 850M+ known breached credentials, it's rejected at registration and on change. Strong privacy-preserving design — only the first 5 hash characters ever leave the system. Can be disabled for air-gapped or fully offline deployments.

  • Asymmetric JWT signing (RS256/ES256/EdDSA)

    JWKS endpoint published at /.well-known/jwks.json. Private signing key never leaves your infrastructure. Services can verify tokens using only the public key — no shared secret required. JWKS rotation supported.

  • DPoP sender-constrained tokens (RFC 9449)

    Access tokens are cryptographically bound to the client's private key. A stolen bearer token is immediately reusable; a stolen DPoP-bound token is useless without the corresponding private key. Required by FAPI 2.0.

  • Impossible-travel and risk engine

    Login events scored in real time: IP geolocation delta (impossible travel), new device fingerprint, breach check, unusual hour. Risk score ≥ threshold triggers step-up to MFA passkey. All thresholds configurable.

  • Fernet field-level encryption for PII at rest

    Sensitive fields (email, phone, name) encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before storage. Key stored separately from data — database breach without key is useless ciphertext.

  • GDPR Article 17 right-to-erasure endpoint

    DELETE /api/v1/execute with command USER.ERASE permanently removes user PII, pseudonymizes audit entries (retains event type + timestamp for compliance, replaces identifiers with hashes), and cascades to all related tables.

  • PBKDF2 + bcrypt password hashing, zero plaintext

    Passwords are hashed with bcrypt (configurable cost factor, default 12) before storage. No password ever written to logs, error messages, or database fields. HIBP check happens on the plaintext before hashing.

Compliance readiness

What procurement actually asks for.

SOC 2 Type II

Audit evidence exporter in Q2 2026. Currently: structured logs with all required fields, immutable log chain, access control evidence.

GDPR / CCPA

Right-to-erasure API, consent receipts with version + timestamp + IP, data portability export, purpose-limited processing architecture.

HIPAA BAA

Self-hosted deployment means your VPC, your controls. We'll sign a BAA for cloud-hosted accounts. Contact us for specifics.

ISO 27001

Access management controls, audit trails, incident logging, and key management all documented. Security architecture overview at /security.

PCI DSS (adjacent)

Bastionary handles auth; payment processing routes through your payment processor directly. We're not in scope for PCI — but our audit logs support your PCI audit evidence.

NIST 800-53 / FedRAMP

On roadmap for government customers. FIPS 140-2 compliant cipher selection available as a configuration flag. Contact us for federal compliance timelines.

Data residency

Your user data never leaves your infrastructure.

This is not a policy statement. This is architecture. Bastionary is a self-hosted binary. It connects to your database. It runs in your VPC. There is no outbound data path to external servers. Your user records, session tokens, audit events, and PII exist only where you choose to store them.

For cloud-hosted customers (Cloud Starter / Cloud Pro), data is stored on Hetzner servers in Nuremberg, Germany (EU). You can migrate to self-hosted at any time by exporting your database and running the binary on your own infrastructure.

Security review

Let's go through your questionnaire.

Send us your vendor security questionnaire or CAIQ. We'll complete it with full technical responses. For pen test reports or architecture review calls, contact us directly.

Contact security team →