Skip to content

Security

For security and compliance teams reviewing SweatStack as a vendor. If you're integrating with the API and need technical detail on auth flows or webhooks, see the developer documentation.

Standards

SweatStack uses widely-deployed standards for the security-critical parts of the system, rather than rolling its own.

  • OAuth 2.0 and OpenID Connect for third-party app authorization, including PKCE for browser and mobile clients.
  • JWT with RS256 signing for tokens. Public keys are served via a standard JWKS endpoint.
  • HMAC-SHA256 signatures on outbound webhooks.
  • TLS 1.2 or above for all traffic.

Data

SweatStack processes two kinds of user data: account and application metadata (users, integrations, applications, permissions), and activity timeseries data (heart rate, power, speed, etc.) ingested from connected wearables.

  • All data is encrypted in transit.
  • Production runs in the European Union, hosted at Hetzner (Helsinki). Physical security and data-centre operations are Hetzner's responsibility.
  • Data is not currently encrypted at the disk level. We may add full-disk encryption as the customer base evolves.
  • End users can revoke any third-party app's access at any time, export their data via the API, and delete their account and all associated data. Account deletion is processed manually within 30 days, typically much sooner.

Subprocessors

Third parties that may receive or process SweatStack user data:

  • Hetzner for primary hosting and storage.
  • Cloudflare for edge, TLS, and static-site hosting.
  • Stripe for payments. Card data is handled by Stripe directly; SweatStack does not see or store it.
  • Resend for transactional email, including magic-link sign-in.
  • Sentry for error tracking. Logfire for application observability.
  • Garmin Connect, Intervals.icu for activity ingestion and workout fan-out, only as authorized by the end user.
  • Plausible Analytics for cookieless analytics on the public sites.

We update this list when subprocessors are added or removed.

Reporting a vulnerability

Email [email protected] with a description, reproduction steps, and any relevant payloads. We acknowledge reports within two business days and keep you updated as we work on a fix.

Please don't publicly disclose findings before we've had a chance to investigate. We'll work with you on a coordinated disclosure timeline.

SweatStack does not currently run a paid bug-bounty program.

Compliance posture

SweatStack is a small, founder-led company based in Norway. We're transparent about what we have and what we don't.

  • GDPR. Applicable as an EU-based data processor. A Data Processing Agreement is available on request.
  • SOC 2 and ISO 27001. Not in place and not currently planned. If your procurement process requires either, please reach out before going further.

Questions

For anything not covered here, email [email protected].