Skip to content

Security

For security and compliance teams reviewing SweatStack as a vendor. If you're integrating with the API and need technical detail on auth flows or webhooks, see the developer documentation.

Standards

SweatStack uses widely-deployed standards for the security-critical parts of the system, rather than rolling its own.

  • OAuth 2.0 and OpenID Connect for third-party app authorization, including PKCE for browser and mobile clients.
  • JWT with RS256 signing for tokens. Public keys are served via a standard JWKS endpoint.
  • HMAC-SHA256 signatures on outbound webhooks.
  • TLS 1.2 or above for all traffic.

Data

SweatStack processes two kinds of user data: account and application metadata (users, integrations, applications, permissions), and activity timeseries data (heart rate, power, speed, etc.) ingested from connected wearables.

  • All data is encrypted in transit.
  • Production runs in the European Union, hosted at Hetzner (Helsinki). Physical security and data-centre operations are Hetzner's responsibility.
  • Data is not currently encrypted at the disk level. We may add full-disk encryption as the customer base evolves.
  • End users can revoke any third-party app's access at any time, export their data via the API, and delete their account and all associated data. Account deletion is processed manually within 30 days, typically much sooner.

Subprocessors

SweatStack uses a small number of trusted providers for hosting, payments, email, observability, analytics, and authorized wearable integrations. The canonical list, including purpose and region per provider, is maintained at sub-processors.md. We update that page when subprocessors are added or removed.

Operational status

Live system status, incident history, and uptime are at status.sweatstack.no.

Reporting a vulnerability

Email [email protected] with a description, reproduction steps, and any relevant payloads. We acknowledge reports within two business days and keep you updated as we work on a fix.

Please don't publicly disclose findings before we've had a chance to investigate. We'll work with you on a coordinated disclosure timeline.

SweatStack does not currently run a paid bug-bounty program.

Compliance posture

SweatStack is a small, founder-led company based in Norway. We're transparent about what we have and what we don't.

  • GDPR. Applicable as an EU-based data processor. See the Data Processing Agreement.
  • SOC 2 and ISO 27001. Not in place and not currently planned. If your procurement process requires either, please reach out before going further.

Continuity

We don't believe in lock-in by design. A few specifics on what that means in practice.

  • Data export. Both end users and developers can pull the data they're authorized for via the SweatStack API at any time. There's no proprietary export tool to learn; the same API you build on is the same API you'd use to leave.
  • Account and data deletion. End users can revoke any third-party app's access, export their data, and delete their account and all associated data. See the Data section above.
  • No vendor lock-in by design. SweatStack runs on a standard containerized stack on commodity cloud infrastructure. There's nothing exotic underneath that would make the data or the workload hard to move.
  • If SweatStack shuts down. We commit to a reasonable wind-down window during which customers can extract their data and migrate. For enterprise customers, source code escrow is available on request as an additional safeguard.

Questions

For anything not covered here, email [email protected].