Security

Security at Apinizer

Effective: 2026-04-01

Apinizer is built for banks, ministries, and defense organizations. The platform's security model — sovereign deployment, audit at the persistence layer, encrypted secrets, three-tier permissions — is the product, not a checkbox.

Sovereign by default

Apinizer runs entirely on the customer’s Kubernetes cluster. That means:

  • No calls home. The Worker (data plane) does not phone Apinizer. The Manager (control plane) does not phone Apinizer. Telemetry stays in the customer’s cluster.
  • Air-gap supported. Enterprise customers run Apinizer in air-gapped clusters with no outbound network access at all.
  • Rootless containers. Apinizer images on DockerHub are rootless — reduced privilege footprint by default.

Audit at the persistence layer

Every Repository.save in the Manager goes through the audit aspect. Bypassing it is rejected at the framework level — not by convention. The audit log captures the actor, timestamp, before/after delta, and an optional reason.

Encrypted secrets, by annotation

Fields marked @SecretData are encrypted before they hit the database and decrypted only when the runtime needs them. This includes credentials, OAuth client secrets, JWT signing keys, and LDAP bind passwords. Encryption is keyed per environment; keys rotate without breaking in-flight tokens.

Three-tier permission model

  • System — platform admins, infrastructure, license
  • Project — product or domain ownership
  • Team — operators and developers within a project

Every read, write, and deploy flows through PermissionService.check(). APIops, the Manager UI, the Portal subscription approvals, and AI Gateway route changes share the same enforcement path.

Standards alignment

Apinizer’s controls were designed to satisfy the standards regulated industries report against:

  • ISO 27001 — Information Security Management
  • SOC 2 — controls audit (in progress)
  • PCI-DSS — cardholder data protection (banking customers)
  • BDDK — Turkish banking regulator
  • KVKK / GDPR — personal data protection
  • HIPAA — healthcare PHI handling (when configured)
  • NIST 800-53 — federal security controls (defense customers)

Vulnerability disclosure

We welcome responsible disclosure. If you believe you have found a vulnerability in the Apinizer platform or apinizer.com:

  • Email security@apinizer.com with steps to reproduce
  • Include affected version (Community / Enterprise + release tag)
  • Use our PGP key (available on request) for sensitive disclosures

We acknowledge reports within two business days, target a fix within 30 days for high-severity issues, and credit reporters in release notes unless they prefer to remain anonymous.

Out of scope

Customer deployments are operated by the customer. Vulnerabilities introduced by customer configuration, third-party policies, or the customer’s own code (Groovy / JavaScript scripts in API Creator) are the customer’s responsibility — though we are happy to advise.

Contact

Security disclosures: security@apinizer.com. Customer security questions: through your account’s named CSM (Enterprise) or support@apinizer.com.