Security, privacy & editorial trust
A2Key is used by procurement teams to spend money. We take security, data protection and editorial independence seriously — here's exactly how, in plain language.
Editorial trust & methodology
Independence is our product. Here's how we protect it.
How we rank
Rankings combine editor scores, verified user reviews, feature depth, and value-for-money. Weights are documented per category page.
Affiliate disclosure
Some outbound links earn A2Key a commission. This never affects rankings, editor scores, or which merchants appear — always disclosed inline.
Editorial policy
Every guide is written or reviewed by an in-house analyst. Vendors cannot pay to modify content, remove reviews, or influence editorial verdicts.
Review integrity
Reviews are verified against purchase records where possible. We remove reviews flagged as incentivised, duplicated, or vendor-authored.
Security posture
- •TLS 1.2+ for all traffic; HSTS enforced.
- •AES-256 at rest for database and object storage.
- •Secrets stored in environment vaults — never in source or logs.
- •OAuth (Google) + email/password with bcrypt-hashed credentials.
- •Role-based access enforced via Postgres RLS policies.
- •Service-role keys isolated to server runtimes only.
- •API keys: SHA-256 hashed at rest, scope-limited, revocable.
- •Managed Postgres on AWS with daily encrypted backups and PITR.
- •Stripe handles all card data — A2Key is PCI scope-minimised (SAQ-A).
- •Cloudflare-fronted edge with global rate limiting and DDoS protection.
- •Admin actions written to an immutable audit_log table.
- •Webhook deliveries logged with attempts, HMAC signatures, and replay.
- •API request logs retained 30 days with status, latency, and IP.
- •On-call rotation for SEV-1/2 events; status posted within 1 hour.
- •Postmortems published for any security-impacting incident.
- •security@a2key.com for responsible disclosure — 90-day window.
- •GDPR-ready: data export and deletion available from /account.
- •DPA available for paid customers on request.
- •SOC2 Type I — in progress. SOC2 Type II — planned for Q1 next year.
Target SLA: 99.9% monthly uptime for the public API and product pages.
Live status: status.a2key.com
Sub-processors
The third parties that process A2Key data. We notify customers of material changes.
| Vendor | Purpose | Region |
|---|---|---|
| Supabase | Postgres, auth, storage | EU / US |
| Stripe | Payments & billing | Global |
| Cloudflare | Edge, CDN, DDoS | Global |
| Resend | Transactional email | US |
| Lovable AI Gateway | AI features | EU / US |
Security questionnaire or pen-test report?
Enterprise customers can request our latest assessment package, sub-processor list, and DPA.