← Back

Security

Last updated: April 25, 2026

Version française →

OneStore handles your Apple .p8 keys and Google .json service accounts. The security of these secrets is our #1 commitment.

Encryption

  • AES-256-GCM for encryption of secrets at rest.
  • Encryption keys managed by a separate KMS, rotated every 90 days.
  • TLS 1.3 required in transit.

Access

  • No employee has access to secrets in clear text. Apple/Google operations go through a signed service that derives short-lived JWTs.
  • Admin access protected by mandatory WebAuthn (passkeys).
  • Immutable audit logs, kept 12 months.

Hosting

Data and secrets hosted in the EU (Vercel + Neon EU). No transfer outside the EU for encrypted data.

Targeted compliance

SOC 2 Type II (audit planned Q4 2026), ISO 27001 (2027). GDPR-native.

Responsible disclosure

Found a vulnerability? Email us at support@onestore.so (PGP key on request). Bug bounty coming soon.