SOC 2 Type II certified Learn more

Capawesome Security

Move forward with confidence. Capawesome is built with security in mind, ensuring your live updates are delivered safely and reliably. Our commitment to security means you can focus on delivering exceptional user experiences without compromising on safety.

Product security

SOC 2 Type II Compliance

We take our customers' data security seriously. Our SOC 2 Type II compliance demonstrates our commitment to maintaining the highest standards of security and privacy. This certification ensures that we have implemented robust controls to protect your data and maintain its confidentiality, integrity, and availability.

Access Control

We enforce strict access controls to ensure that only authorized personnel can access sensitive data. This includes role-based access controls (RBAC) and regular audits of access logs.

Source code protection

Access to source code via your version control system is always encrypted using SSH and/or HTTPS.

Encrypted Credential Storage

Your signing credentials — Apple API keys, .p12 certificates, provisioning profiles, and Android keystores — are encrypted at rest, accessible only to the automated build and publish pipeline, and deleted when your account or contract ends.

Isolated Build Environments

Your source code is processed only for its intended purpose inside isolated build environments. No one on our team accesses it outside of a support case you have explicitly authorized.

Data security

Data Encryption

We use industry-standard encryption protocols to protect your data at rest and in transit. This ensures that your sensitive information is always secure and inaccessible to unauthorized users.

Data Backup

Regular backups of your data are performed to ensure that you can recover from any data loss incidents. Our backup processes are designed to minimize downtime and ensure business continuity.

No AI or ML Training

We never use your data — source code, build artifacts, credentials, or end-user SDK data — to train, fine-tune, or improve AI or ML models.

Strict Data Separation

Production and test data are kept in separate systems, and every customer's data is processed in logically isolated environments.

Network security

TLS Encryption

All data transmitted between your applications and our servers is protected using TLS 1.3 encryption, ensuring complete security during transit and preventing interception or tampering.

DDoS Protection

Our infrastructure includes comprehensive DDoS protection to ensure your live updates remain available even during attack attempts, maintaining service reliability and uptime.

Network Monitoring

24/7 network monitoring and threat detection systems continuously watch for suspicious activity, providing early warning and automatic response to potential security incidents.

Application security

Code Signing

All live updates can be cryptographically signed to ensure authenticity and integrity. Your applications verify these signatures before applying updates, preventing malicious code injection.

Vulnerability Scanning

Regular automated security scans are performed on our platform and infrastructure to identify and remediate potential vulnerabilities before they can be exploited.

Secure Development

Our development process follows secure coding practices with regular security reviews, penetration testing, and adherence to OWASP guidelines to prevent common vulnerabilities.

Audit Logging

Security-relevant actions are logged — what changed, when, and by whom — so every access and modification stays traceable.

Business security

Privacy Compliance

We maintain compliance with GDPR and other privacy regulations, ensuring your user data is handled according to the highest privacy standards and legal requirements.

Business Continuity

Comprehensive disaster recovery and business continuity plans ensure service availability even during unexpected events, with automated failover and redundant systems across multiple regions.

Incident Response

Our documented incident-response process covers detection, containment, remediation, and post-incident review. We notify you without undue delay — within 48 hours for personal-data breaches.

Confidentiality Obligations

Everyone with access to personal data is bound by confidentiality obligations that continue even after their engagement ends.

Subprocessor Management

We contractually hold every subprocessor to the same data-protection obligations we commit to, and notify you at least 30 days before any change.

International Data Transfers

Cross-border transfers are safeguarded by the EU-US Data Privacy Framework and EU Standard Contractual Clauses, with a transfer impact assessment for every third-country transfer.

Data Export & Deletion

When you leave, the choice is yours: export your data in machine-readable formats or have it deleted — and we honor deletion requests in line with the GDPR.

Responsible Disclosure

We run a responsible-disclosure program with safe-harbor protection for good-faith security researchers. Report issues anytime to security@capawesome.io.

Physical security

Secure Data Centers

Our infrastructure is hosted in tier-3 certified data centers with multi-layered physical security controls including biometric access, 24/7 surveillance, and environmental monitoring.

Hardware Security

All hardware is secured with tamper-evident seals and regular inspections. Decommissioned equipment undergoes secure data destruction following industry best practices.

Environmental Controls

Advanced fire suppression, climate control, and power management systems protect our infrastructure from environmental threats, ensuring consistent service availability.

FAQ

Frequently asked questions

Still have questions about how we keep your apps and data secure? Reach out to our security team at any time.

Yes. Capawesome is SOC 2 Type II compliant, demonstrating independently audited controls over the security, confidentiality, and availability of your data. The audit report is available on request.

Yes. We process personal data in accordance with the GDPR and honor data deletion requests. Our data center partners are also ISO 27001-certified.

All data is encrypted in transit with TLS 1.3 and at rest using industry-standard encryption. Access to your source code through your version control system is always encrypted using SSH and/or HTTPS.

We enforce strict role-based access controls (RBAC) so that only authorized personnel can access sensitive data, backed by least-privilege principles and regular audits of access logs.

Live updates can be cryptographically signed, and your app verifies each signature before applying an update. This prevents tampering and malicious code injection, so only trusted updates ever reach your users.

We run regular automated vulnerability scans across our platform and infrastructure, follow secure coding practices aligned with the OWASP guidelines, and conduct ongoing security reviews and penetration testing.

Our infrastructure includes DDoS protection, 24/7 monitoring, and redundant systems with automated failover. A dedicated team follows established incident-response procedures, and you can track real-time service status at status.capawesome.io.

Email our security team at security@capawesome.io. We investigate every report and respond promptly. Our security policy describes the responsible disclosure process, including safe-harbor protection for good-faith researchers.

Ready to get started?

Ship faster with Live Updates, Native Builds, and App Store Publishing. Check out our docs, explore our GitHub examples, and start building your Capacitor app today.