Security Architecture
Infrastructure Security
Cloud Infrastructure
Hosted on AWS with SOC 2 compliant infrastructure
Network Security
All traffic encrypted in transit with TLS 1.3
Data Encryption
Data encrypted at rest using AES-256
Access Controls
Role-based access control and audit logging
Data Flow Security

Authentication & Authorization
API Authentication
Fanfare uses a multi-layer authentication model:| Key Type | Usage | Scope |
|---|---|---|
Publishable Key (pk_) | Client-side SDK | Read + limited write |
Secret Key (sk_) | Server-side API | Full access |
| Consumer Token | Consumer session | User-specific access |
Key Security
- Publishable keys are safe to include in client-side code
- Secret keys must never be exposed to clients
- All keys are organization-scoped and can be rotated
Session Security
Consumer sessions include multiple security layers:- JWT tokens with short expiration
- Session validation against server state
- Session integrity checks handled by Fanfare
- Automatic refresh with secure token rotation
Data Protection
What We Store
Fanfare stores the data needed to operate experiences, authenticate consumers, and support customer reporting. Sensitive values are protected according to their data type and access path.What We Don’t Store
- Full payment card numbers, which are handled by payment processors
- Consumer passwords for passwordless authentication flows
- Raw device specifications in public integration payloads
Data Isolation
Each organization’s data is isolated by organization context. Public APIs only return resources that belong to the authenticated organization or consumer session.Compliance
Standards & Certifications
- SOC 2 Type II: Compliant infrastructure
- GDPR: Full compliance for EU users
- PCI DSS: Payment processing via certified partners
- CCPA: California privacy compliance
Regular Audits
- Annual third-party security audits
- Quarterly penetration testing
- Continuous automated security scanning
- Bug bounty program for responsible disclosure
Security Features
Rate Limiting
API endpoints are rate-limited to help protect platform availability and fairness. When a request is limited, the API returns a standard rate-limit response with retry guidance where available.Request Signing
Webhook requests are signed for verification:Audit Logging
All sensitive operations are logged:- Authentication events
- Configuration changes
- Data access patterns
- Administrative actions
Incident Response
Our Commitment
- Detection: 24/7 monitoring and alerting
- Response: Security team on-call
- Communication: Prompt notification of affected parties
- Resolution: Root cause analysis and remediation
Reporting Security Issues
If you discover a security vulnerability:- Do not disclose publicly
- Email [email protected] with details
- We’ll acknowledge within 24 hours
- Work with us on coordinated disclosure
Security Best Practices
For your integration, we recommend:Protect your secret keys
Protect your secret keys
- Store in environment variables
- Never commit to source control
- Rotate periodically
- Use separate keys for test/production
Verify webhooks
Verify webhooks
- Always verify webhook signatures - Use HTTPS endpoints only - Implement idempotency - Validate payload structure
Secure your checkout
Secure your checkout
- Validate handoff tokens server-side - Set appropriate session timeouts - Use HTTPS everywhere - Implement CSRF protection
Monitor for anomalies
Monitor for anomalies
- Track authentication failures
- Monitor rate limit hits
- Alert on unusual patterns
- Review audit logs regularly
Related Resources
- Authentication Best Practices - Secure auth flows
- Data Privacy - GDPR and privacy
- Bot Protection - Fraud prevention