Skip to main content

Security

Licentric is built with defense-in-depth — cryptographic integrity, tenant isolation, and strict input validation at every layer.

Ed25519 Digital Signatures

Every license file is signed with Ed25519, enabling offline verification without contacting our servers. Customers can validate license authenticity even in air-gapped environments.

AES-256-GCM Encryption

Private signing keys are encrypted at rest using AES-256-GCM with authenticated encryption. Keys are never stored in plaintext — only decrypted in memory during signing operations.

HMAC-SHA256 Webhook Verification

Every outbound webhook carries an HMAC-SHA256 signature computed with your secret. Recipients verify the signature to confirm the payload originated from Licentric and was not tampered with.

SHA-256 API Key Hashing

API keys are hashed with SHA-256 before storage. The raw key is shown exactly once at creation and never stored. Even a full database breach cannot reveal your API credentials.

Row Level Security (RLS)

Every database table enforces Supabase Row Level Security policies. Tenants can only access their own data — isolation is enforced at the database layer, not just application code.

Rate Limiting

All API endpoints enforce rate limits to prevent brute-force attacks, credential stuffing, and denial-of-service. Limits are applied per IP for public endpoints and per account for authenticated ones.

Zod Input Validation

Every API request is validated against strict Zod schemas at the boundary. Invalid payloads are rejected immediately with actionable error messages — before any business logic executes.

Soft Deletes & Audit Trail

Records are never hard-deleted. Every table uses a deletedAt timestamp, preserving a complete audit trail for compliance, dispute resolution, and forensic analysis.

Compliance

Built with regulatory requirements in mind from day one.

GDPR Readiness

Data Processing Agreement available on request. Right-to-erasure, data portability, and consent management built into the platform. Sub-processor list published in our Privacy Policy.

Encryption at Rest

All data is encrypted at rest via Supabase-managed PostgreSQL storage encryption. Sensitive fields (private keys, license keys) receive an additional application-level AES-256-GCM layer.

Audit Logging

Every mutation — license creation, activation, suspension, revocation — is timestamped and attributed. Immutable audit logs support compliance reviews and incident investigation.

Report a Vulnerability

If you discover a security issue, please disclose it responsibly. Contact us at security@licentric.com. We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours.