Trust center
One bookmark for everything compliance-relevant.
Security architecture, sub-processor list, legal agreements, and incident history — published in one place. Buyer evaluations and ongoing GDPR / data-processing-agreement (DPA) reviews can start here without an email chain.
Security
Architecture + posture →
Six pillars shipped today: everything between you and us travelling encrypted (TLS), each profile bringing its own internet exit — your SOCKS5 proxy (including UDP/QUIC/WebRTC traffic) or your OpenVPN / WireGuard VPN, API keys stored only as one-way scrypt hashes (unreadable even to us), webhooks cryptographically signed so you can prove each message came from us (HMAC), team roles where your whole team can look but only admins can change, and a design that keeps our staff from ever seeing your session content. All of it runs on EU servers. The live posture across each pillar is on the security overview (its own card below).
Sub-processors
Live list + regions →
Every outside company that handles customer data for us (our sub-processors), with where it runs, what it does, and the legal basis for any data leaving the EU (the transfer mechanism). This list is the official source for the 30-day change notices GDPR Article 28(2) requires, and it appears verbatim as Annex 3 of our data-processing agreement (DPA).
Incident history
Past events + post-mortems →
Customer-impacting outages and security incidents, with timestamps, customer impact, root cause, and the remediation we applied. Live status badge above for current platform health.
Legal
DPA · Privacy · Terms · AUP →
Standard agreements ready to sign on the customer side: Data Processing Agreement (GDPR Article 28, including the EU's Standard Contractual Clauses — SCCs — for data sent abroad), Privacy Policy (the GDPR Article 13–15 disclosures: what we collect and your rights over it), Terms of Service, Acceptable Use Policy.
Compliance
Certifications + pen-test + disclosure →
Honest current state: which certifications are in place or in progress, how to get our penetration-test reports (paid ethical hackers attacking the platform), how to report a security hole — and our promise not to sue good-faith researchers ("safe harbour") — how much warning you get before we change vendors, and how long logs are kept.
Security overview
Evaluator's checklist →
Every security claim mapped to the code path, test, or doc that backs it up. The page your security lead (CISO) skims before scheduling a vendor review call.
Cumulative rig
Signal-by-signal methodology →
Every measurable fingerprint signal — the details a website can read about a browser — checked one by one against a real reference iPhone, shown side by side with what a typical disguised-Chromium ("stealth") tool returns. The evidence behind our claim that sessions can't be told apart from a real iPhone.
Quick reference
The questions buyer evaluations always ask.
- Where is data hosted?
- EU by default. Compute (Hetzner Nuremberg), database (Neon Frankfurt); object storage (Cloudflare R2, EU + US replication). Full list at /trust/sub-processors.
- Do you see our destination URLs?
- No. Session traffic leaves for the web through the exit you configure (your egress) — your own SOCKS5 proxy or OpenVPN / WireGuard VPN. Driftstack starts and manages the session; your proxy carries the actual browsing traffic, so the addresses you visit don't pass through us.
- Are API keys recoverable by staff?
- No. Keys are stored only as one-way scrypt hashes — staff, and even a database thief, see scrambled values, not keys. If a key leaks, rotate it in the dashboard; the old key keeps working for 24 hours (the grace window) so nothing breaks mid-switch.
- How do we get a DPA on file?
- The DPA at /legal/dpa is already signed by Driftstack — sign your side and it's in force. The EU's Standard Contractual Clauses (SCCs) cover any transfer of data outside the EU listed in Annex 3 (the vendor list attached to the DPA).
- What's the incident-response SLA?
- Most plans come without a contractual uptime guarantee (an SLA) — we publish incidents at /trust/incidents and the live status above. The API Scale and Enterprise tiers carry a contractual SLA (99.9% monthly availability + a Severity-1 first-response commitment — see the SLA policy).
- How do we get a security questionnaire answered?
- Email support@driftstack.dev with the document; we'll fill it line-by-line. Standard security-questionnaire formats (CAIQ / VSAQ), custom spreadsheets, and vendor portals all welcome.
Compliance review
Bring the questionnaire. We'll fill it.
Standard security-questionnaire formats (CAIQ, VSAQ) and custom enterprise vendor questionnaires — all welcome. Most answers come out of the pages linked above; the rest we write line-by-line within a working day.