# Security Practices (/docs/trust/security)



This page describes the current state of our security practices. We
only list what we can back up from the codebase or infrastructure
configuration.

## Encryption [#encryption]

* **In transit.** TLS 1.2 or higher required everywhere —
  `api.layers.com`, `in.layers.com`, `docs.layers.com` and the app are
  fronted by a managed load balancer with managed TLS certificates.
  HTTP is redirected to HTTPS.
* **At rest (database).** Primary database data is encrypted at rest
  with AES-256.
* **At rest (object storage).** Object storage buckets hosting
  generated media use provider-managed encryption keys.
* **Column-level secrets.** OAuth tokens, CAPI access tokens, webhook
  signing secrets, and partner API key hashes are additionally
  protected via a column-level secret store or bcrypt-hashed — see
  [Vault](/docs/trust/vault).

## Partner API key hashing [#partner-api-key-hashing]

Partner API keys take the shape `lp_<env>_<keyid>.<secret>`. The
secret portion is hashed with bcrypt at cost factor 12 before being
stored. We store only the hash — if you lose the key, rotate; we
cannot send it to you.

## Timing-safe verification [#timing-safe-verification]

Key verification uses constant-time comparison so request-timing can't
leak whether a given key prefix exists.

## Access controls [#access-controls]

### Customer-side [#customer-side]

* Row-Level Security (RLS) on tenant tables.
* Role-based authorization at the API layer; RLS sees the project/org
  context for every request.

### Layers-internal [#layers-internal]

* Engineering access to production is scoped and audited.
* Production access requires authenticated SSO with MFA.

## Vulnerability disclosure [#vulnerability-disclosure]

Email [security@layers.com](mailto:security@layers.com) with repro
steps and the `requestId` of any affected request. We aim to reply
promptly and will not pursue legal action against good-faith
researchers operating within
[standard safe-harbor terms](https://disclose.io/).

Layers does not currently run a paid bug-bounty program.

Please don't open public GitHub issues for vulnerabilities.

## Supply chain [#supply-chain]

* Pull-request-based workflow — no direct-to-prod commits.
* CI runs typecheck + tests on every PR.

## Logging [#logging]

* Centralized logging for application + infrastructure logs.
* Partner API request logs retained 30 days.
* Raw request/response bodies are not persisted beyond the in-memory
  request scope.