Security & compliance

What your vendor questionnaire wants to know

We keep this page authoritative — every claim is a real implementation detail, every roadmap item is dated. If a customer asks something not covered here, we update the page rather than answering off-channel.

Security & compliance

Engineered for the team that has to defend it in a security review

Every line below is a real implementation choice — not aspirational. Full security posture at tryparsr.dev/security.

Data residency: EU traffic stays in the EU. US traffic stays in the US. Region-bound API keys (`sk_eu_…` / `sk_us_…`) refuse cross-region calls at the edge.
Encryption in transit: TLS 1.3 from your client to Cloudflare; Authenticated Origin Pulls between Cloudflare and our boxes. No plaintext anywhere on the wire.
Encryption at rest: Cloudflare R2 server-side encryption (AES-256) on all stored documents. Postgres-at-rest encryption on Neon. Stripe handles cards; we never touch them.
Webhook signing: HMAC-SHA256 over the raw body with a customer-side secret. Replay window 5 min. We publish reference implementations in 4 languages.
Authentication: Argon2id-hashed API keys with a server-side pepper. Bearer-token only — no implicit cookies, no session leakage.
Audit & retention: 30-day retention by default; configurable. Deletion-on-request endpoint for GDPR Article 17. DPA available on signup.

EU sovereignty, in detail

Compute: Exoscale (A1 Group), Zürich CH, Swiss-jurisdiction operator with no US parent.
Storage: Cloudflare R2 with jurisdiction='eu'. The bucket physically and contractually stays in EU data centers.
Database: Neon Postgres on EU-resident infrastructure. Stripe records also EU.
Networking: Region-bound API keys mean an EU key is rejected at the US endpoint with a hint pointing to the right host. No accidental cross-border traffic.

Roadmap (dated)

SOC 2 Type I: audit window starts Q3 2026, letter expected Q4 2026.
ISO 27001: certification target 2027.
DPA: template available on signup; counter-signing within 1 business day.
Sub-processor list: public, updated within 30 days of any change. See docs.

Reporting a vulnerability

Email security@tryparsr.dev with reproduction steps. We acknowledge within 24 hours and aim to triage within 5 business days. No bounty program yet — but we do credit reporters publicly (with consent) on resolution.