Trust Center

Security, privacy & editorial trust

A2Key is used by procurement teams to spend money. We take security, data protection and editorial independence seriously — here's exactly how, in plain language.

Editorial trust & methodology

Independence is our product. Here's how we protect it.

How we rank

Rankings combine editor scores, verified user reviews, feature depth, and value-for-money. Weights are documented per category page.

Affiliate disclosure

Some outbound links earn A2Key a commission. This never affects rankings, editor scores, or which merchants appear — always disclosed inline.

Editorial policy

Every guide is written or reviewed by an in-house analyst. Vendors cannot pay to modify content, remove reviews, or influence editorial verdicts.

Review integrity

Reviews are verified against purchase records where possible. We remove reviews flagged as incentivised, duplicated, or vendor-authored.

Security posture

Encryption
  • TLS 1.2+ for all traffic; HSTS enforced.
  • AES-256 at rest for database and object storage.
  • Secrets stored in environment vaults — never in source or logs.
Authentication & access
  • OAuth (Google) + email/password with bcrypt-hashed credentials.
  • Role-based access enforced via Postgres RLS policies.
  • Service-role keys isolated to server runtimes only.
  • API keys: SHA-256 hashed at rest, scope-limited, revocable.
Infrastructure
  • Managed Postgres on AWS with daily encrypted backups and PITR.
  • Stripe handles all card data — A2Key is PCI scope-minimised (SAQ-A).
  • Cloudflare-fronted edge with global rate limiting and DDoS protection.
Monitoring & audit
  • Admin actions written to an immutable audit_log table.
  • Webhook deliveries logged with attempts, HMAC signatures, and replay.
  • API request logs retained 30 days with status, latency, and IP.
Incident response
  • On-call rotation for SEV-1/2 events; status posted within 1 hour.
  • Postmortems published for any security-impacting incident.
  • security@a2key.com for responsible disclosure — 90-day window.
Compliance & data
  • GDPR-ready: data export and deletion available from /account.
  • DPA available for paid customers on request.
  • SOC2 Type I — in progress. SOC2 Type II — planned for Q1 next year.
Availability

Target SLA: 99.9% monthly uptime for the public API and product pages.

Live status: status.a2key.com

Sub-processors

The third parties that process A2Key data. We notify customers of material changes.

VendorPurposeRegion
SupabasePostgres, auth, storageEU / US
StripePayments & billingGlobal
CloudflareEdge, CDN, DDoSGlobal
ResendTransactional emailUS
Lovable AI GatewayAI featuresEU / US

Security questionnaire or pen-test report?

Enterprise customers can request our latest assessment package, sub-processor list, and DPA.