Capawesome Security
Move forward with confidence. Capawesome is built with security in mind, ensuring your live updates are delivered safely and reliably. Our commitment to security means you can focus on delivering exceptional user experiences without compromising on safety.
Product security
SOC 2 Type II Compliance
We take our customers' data security seriously. Our SOC 2 Type II compliance demonstrates our commitment to maintaining the highest standards of security and privacy. This certification ensures that we have implemented robust controls to protect your data and maintain its confidentiality, integrity, and availability.
Access Control
We enforce strict access controls to ensure that only authorized personnel can access sensitive data. This includes role-based access controls (RBAC) and regular audits of access logs.
Source code protection
Access to source code via your version control system is always encrypted using SSH and/or HTTPS.
Encrypted Credential Storage
Your signing credentials — Apple API keys, .p12 certificates, provisioning profiles, and Android keystores — are encrypted at rest, accessible only to the automated build and publish pipeline, and deleted when your account or contract ends.
Isolated Build Environments
Your source code is processed only for its intended purpose inside isolated build environments. No one on our team accesses it outside of a support case you have explicitly authorized.
Data security
Data Encryption
We use industry-standard encryption protocols to protect your data at rest and in transit. This ensures that your sensitive information is always secure and inaccessible to unauthorized users.
Data Backup
Regular backups of your data are performed to ensure that you can recover from any data loss incidents. Our backup processes are designed to minimize downtime and ensure business continuity.
No AI or ML Training
We never use your data — source code, build artifacts, credentials, or end-user SDK data — to train, fine-tune, or improve AI or ML models.
Strict Data Separation
Production and test data are kept in separate systems, and every customer's data is processed in logically isolated environments.
Network security
TLS Encryption
All data transmitted between your applications and our servers is protected using TLS 1.3 encryption, ensuring complete security during transit and preventing interception or tampering.
DDoS Protection
Our infrastructure includes comprehensive DDoS protection to ensure your live updates remain available even during attack attempts, maintaining service reliability and uptime.
Network Monitoring
24/7 network monitoring and threat detection systems continuously watch for suspicious activity, providing early warning and automatic response to potential security incidents.
Application security
Code Signing
All live updates can be cryptographically signed to ensure authenticity and integrity. Your applications verify these signatures before applying updates, preventing malicious code injection.
Vulnerability Scanning
Regular automated security scans are performed on our platform and infrastructure to identify and remediate potential vulnerabilities before they can be exploited.
Secure Development
Our development process follows secure coding practices with regular security reviews, penetration testing, and adherence to OWASP guidelines to prevent common vulnerabilities.
Audit Logging
Security-relevant actions are logged — what changed, when, and by whom — so every access and modification stays traceable.
Business security
Privacy Compliance
We maintain compliance with GDPR and other privacy regulations, ensuring your user data is handled according to the highest privacy standards and legal requirements.
Business Continuity
Comprehensive disaster recovery and business continuity plans ensure service availability even during unexpected events, with automated failover and redundant systems across multiple regions.
Incident Response
Our documented incident-response process covers detection, containment, remediation, and post-incident review. We notify you without undue delay — within 48 hours for personal-data breaches.
Confidentiality Obligations
Everyone with access to personal data is bound by confidentiality obligations that continue even after their engagement ends.
Subprocessor Management
We contractually hold every subprocessor to the same data-protection obligations we commit to, and notify you at least 30 days before any change.
International Data Transfers
Cross-border transfers are safeguarded by the EU-US Data Privacy Framework and EU Standard Contractual Clauses, with a transfer impact assessment for every third-country transfer.
Data Export & Deletion
When you leave, the choice is yours: export your data in machine-readable formats or have it deleted — and we honor deletion requests in line with the GDPR.
Responsible Disclosure
We run a responsible-disclosure program with safe-harbor protection for good-faith security researchers. Report issues anytime to security@capawesome.io.
Physical security
Secure Data Centers
Our infrastructure is hosted in tier-3 certified data centers with multi-layered physical security controls including biometric access, 24/7 surveillance, and environmental monitoring.
Hardware Security
All hardware is secured with tamper-evident seals and regular inspections. Decommissioned equipment undergoes secure data destruction following industry best practices.
Environmental Controls
Advanced fire suppression, climate control, and power management systems protect our infrastructure from environmental threats, ensuring consistent service availability.
FAQ
Still have questions about how we keep your apps and data secure? Reach out to our security team at any time.
Yes. Capawesome is SOC 2 Type II compliant, demonstrating independently audited controls over the security, confidentiality, and availability of your data. The audit report is available on request.
Yes. We process personal data in accordance with the GDPR and honor data deletion requests. Our data center partners are also ISO 27001-certified.
All data is encrypted in transit with TLS 1.3 and at rest using industry-standard encryption. Access to your source code through your version control system is always encrypted using SSH and/or HTTPS.
We enforce strict role-based access controls (RBAC) so that only authorized personnel can access sensitive data, backed by least-privilege principles and regular audits of access logs.
Live updates can be cryptographically signed, and your app verifies each signature before applying an update. This prevents tampering and malicious code injection, so only trusted updates ever reach your users.
We run regular automated vulnerability scans across our platform and infrastructure, follow secure coding practices aligned with the OWASP guidelines, and conduct ongoing security reviews and penetration testing.
Our infrastructure includes DDoS protection, 24/7 monitoring, and redundant systems with automated failover. A dedicated team follows established incident-response procedures, and you can track real-time service status at status.capawesome.io.
Email our security team at security@capawesome.io. We investigate every report and respond promptly. Our security policy describes the responsible disclosure process, including safe-harbor protection for good-faith researchers.
Ready to get started?
Ship faster with Live Updates, Native Builds, and App Store Publishing. Check out our docs, explore our GitHub examples, and start building your Capacitor app today.
Questions? Join our Discord or contact us .