Security Architecture
Your data is encrypted before it leaves the app.
Partikl encrypts at the application layer — before data touches storage, cache, or network. Keys live in an isolated Vault, separate from your data. No Partikl employee has an interface that shows decrypted content.
Encryption based
for persistant data
BYOS & BYOD
Domain and Storage
Location-based
Human access
YOUR APPLICATION
Plaintext exists only here
PARTIKL ENCRYPTION
AES-256-GCM · ChaCha20-Poly1305
Per-file DEK · Namespace KEK
APP LAYER
ENCRYPTED TRANSIT
Your data is encrypted before it leaves the app
ENCRYPTED STORAGE
Your S3 or ours · EU-hosted (US coming soon)
Encrypted filesystem · Direct disk I/O
AT REST
HashiCorp Vault · Isolated key store
Never co-located with encrypted data
AES-256-GCM
TLS 1.3
mTLS internal
EU-hosted
BYOS
Encryption
Encryption happens at the application layer.
Not at the CDN. Not at the storage provider. Your data is encrypted by Partikl before it touches any external system — including your own storage if you bring it.
Application-Layer Encryption
Multi-layer key architecture
Every file is encrypted with a unique DEK before touching storage. DEKs are wrapped by a Namespace KEK, which lives in an isolated Vault — never co-located with the data it protects.
Algorithm
Starter
Team
Enterprise
AES-256-GCM
Hardware-accelerated on all modern CPUs
ChaCha20-Poly1305
Preferred for mobile and IoT devices
Per-file unique keys
Maximum isolation, one DEK per asset
Key Chain
File
PLAINTEXT
Your original content
Encrypted with
DEK
AES-256-GCM
Data Encryption Key · unique per file
Wrapped by
KEK
NAMESPACE SCOPE
Key Encryption Key · per Namespace
Stored in
Key scope is configurable per Namespace: master-nonce, per-file, or mixed. Enterprise plans support custom key rotation schedules.
Storage Layer
Encrypted before it leaves the app
BYOS: bring any S3-compatible storage. We encrypt before sending — your bucket never sees plaintext
Managed storage: custom encrypted filesystem with direct disk I/O — not generic ext4
Backup isolation: backup key hierarchy is separate from the primary key chain
Per-Namespace: encryption can be configured or disabled per Namespace
Network Layer
Encrypted at every hop
Edge: Anycast delivery with encrypted cache entries per Variant
Access control: token-scoped, whitelist, region-lock and country-lock configurable per Namespace
Metadata & Database Layer
Metadata is not an afterthought
Fail-tolerant storage: distributed across 3 availability zones with encrypted storage at every node
Column-level encryption: sensitive fields encrypted at the application layer before DB write
Vector indices: AI search indices encrypted on disk — metadata stays private
Separate key hierarchy: metadata keys are isolated from content keys — different chains, different Vault paths
Access Controls
Zero human access. By architecture.
There is no admin panel that displays decrypted content. Not by policy — by system design. Encryption is applied before data reaches any interface our team could access.
Architectural Guarantee
Partikl has no interface that displays your decrypted content.
Content is encrypted at the application layer before it reaches any database, storage, or cache our team operates. Vault keys are not accessible through any administrative tooling. Your data exists in plaintext only inside your application.
Human access only when
01
Valid legal process with jurisdiction (court order, law enforcement)
02
You explicitly grant support access to a specific asset for a bounded time window
03
Formal appeal of an automated moderation decision requiring content review
Responsibility for content rests with you. You control your data. Connect your own domain and storage for full data sovereignty.
Personnel Access
Infrastructure, not data
Production infrastructure access restricted to authorized engineers
All access events logged: timestamp, identity, action, context
Access reviewed on role change and revoked immediately on offboarding
No access to decryption keys in normal operation
Bring your own storage and domain for complete infrastructure independence.
Automated Scanning
Content integrity at upload
All content passes automated ML scanning before storage. Results are not used for model training. Manual review only when ML confidence falls below classification threshold.
DMCA
Copyright fingerprint matching at upload time.
Public
NSFW
Configurable threshold per Namespace. Not enabled by default on private.
Public
Private Namespaces: malware scan only. Content responsibility rests with the account holder.
API Tokens
Granular access control
Granular scope
read / write / admin — per Namespace, per scenario
Private access modes
token-only, IP whitelist, region-lock, country-lock
Instant revocation
from dashboard, effective immediately across all edges
Anomaly alerts
bulk access, geo shift, pattern change → webhook or email
Audit Trail
Every operation logged
Example log entry
{ "ts": "2025-01-15T14:23:11.042Z", "op": "asset.transform", "source": "pipeline:thumb-v3", "ns": "ns_7xK2mP", "asset": "ast_9nQr4L", "region": "eu-nl-1", "actor": "system" }
Retention
90 days (180 Enterprise)
Coverage
All operations incl. pipeline
Export
Available on Team+ plans
Planned
DB-level query audit layer
Infrastructure
Your data stays where you put it.
Choose your region. We enforce it at every layer — storage, processing, cache, and delivery. Data never moves across jurisdictions without your explicit instruction.
🇪🇺
DEFAULT
Europe
Netherlands · Germany
EU / GDPR
Storage
Processing
Edge cache
Audit logs
Preferred jurisdiction. GDPR DPA available with all sub-processors.
🇺🇸
COMING SOON
United States
East Coast · West Coast
US / CCPA
Storage
Processing
Edge cache
Audit logs
Full feature parity with EU region. Independent key chain.
🌏
COMING SOON
Asia-Pacific
Singapore · South Korea · Japan
Local jurisdictions
Storage
Processing
Edge cache
Audit logs
Three independent nodes. Jurisdiction varies by selected country.
⚙️
ENTERPRISE
Custom / BYOS
Your infrastructure
Your choice
Bring your own S3
Bring your own domain
Self-hosted option
Custom processing region
We encrypt before sending to your storage. Your bucket never sees plaintext.
Namespace Isolation
A hard cryptographic boundary
Each Namespace is a complete isolation unit — not a logical tag. Pipelines, encryption keys, access logs, and content within one Namespace cannot be accessed from another, even within the same Account.
Account boundary
Namespace A
KEK-A
Pipeline-A
Logs-A
Namespace B
KEK-B
Pipeline-B
Logs-B
No cross-Namespace data access — even within the same Account
Own encryption key
Unique KEK per Namespace — no shared key material
Own pipeline config
Workflows, nodes, edges isolated per Namespace
Own access logs
Audit trail scoped — no cross-Namespace visibility
Own storage bucket
Logical isolation by default, physical on Enterprise
Enterprise
Physical isolation: dedicated compute + storage per Namespace
Infrastructure
Design principles
We select and build infrastructure based on security properties, jurisdiction, and isolation capability — not convenience.
Self-hosted infrastructure where possible — minimal third-party dependencies
EU-jurisdiction providers preferred for all EU data
GDPR Data Processing Agreements with all sub-processors
Multi-AZ deployments in every region — no single point of failure
Custom encrypted filesystems — direct disk I/O, not generic ext4
No shared-tenancy between jurisdictions at the storage layer
Fail-tolerant distributed metadata storage across 3 availability zones
Separate Vault paths per region — keys never transit across jurisdictions
Full list of infrastructure providers and DPA status:
Sub-processor listSecurity Automation
Continuous automated security.
Security is not a one-time audit. Anomaly detection runs in real-time. Automated security audits run monthly across the full stack.
Automated Security Audits
Automated dependency scanning (Dependabot/Snyk) and configuration drift detection
Security incidents disclosed at status.partikl.io
Configuration drift
Detect divergence from security baseline across all services
CVE scanning
Dependencies and infrastructure components, continuously
Access pattern analysis
Unusual access sequences across the full stack
Network policy validation
mTLS coverage, open ports, inter-service trust chains
Infrastructure compliance
Data residency enforcement, AZ coverage, backup integrity
Transparency reports: Audit results published publicly after each monthly run.
Independent audit entity: External security review planned
Real-time Detection
Anomaly detection across all access patterns
API usage, data access patterns, and pipeline behaviour are monitored continuously. Deviations from established baselines trigger graduated responses — from throttling to automated suspension.
Trigger
Automated response
Bulk data access
Rate limit + user notification
HIGH
Geographic access shift
Verification challenge
MED
API pattern deviation
Auto-throttle + internal alert
MED
Pipeline abuse pattern
Automated suspension
HIGH
Unusual key access
Immediate flag + review
HIGH
Unusual geographic access
Verification challenge
MED
Alert channels
Dashboard
Webhook (configurable)
Compliance
Standards and certifications.
Compliance is an outcome of good engineering, not a starting point. We build security into the architecture first, then seek formal validation.
Current
GDPR (EU 2016/679)
All EU data processing
DPA available. Data Processing Agreements with all sub-processors.
Compliant
ePrivacy Directive
No tracking cookies
No third-party cookies. No fingerprinting. No analytics without consent.
Compliant
DMCA Safe Harbor
Copyright process
Takedown process in place. Agent registration in progress.
Compliant
Upcoming
US Region
location-based
fully support next location store and processing
Planned
Coming Soon
Asia-Pasific Region
location-based
fully support next location store and processing
Planned
On Roadmap
For Data Processing Agreements, jurisdiction-specific compliance documentation, or enterprise compliance reviews — contact us.
legal@partikl.ioResponsible Disclosure
Found a vulnerability? Tell us.
We take security research seriously. If you find a vulnerability in Partikl, we want to know — and we will treat you fairly for reporting it.
Disclosure scope
In scope
Authentication and authorization flaws
Data isolation failures between Namespaces
Encryption implementation issues
API security vulnerabilities
Server-side injection vulnerabilities
Unauthorized cross-Namespace data access
Out of scope
Social engineering attacks
Physical security
Rate limiting (unless leading to data exposure)
Third-party services not under Partikl's control
Denial of service without data impact
How to report
Email us directly
security@partikl.io
Include in your report
1
Description of the vulnerability
2
Steps to reproduce
3
Potential impact assessment
4
Your contact information
We do not currently offer a bug bounty program. Valid vulnerability reports are recognised in our Hall of Fame with your permission.
Our Commitments
We treat researchers fairly
Security research makes the platform better. We commit to transparency, fairness, and a professional process for every report we receive.
No legal action
Against researchers acting in good faith, following this policy
72-hour acknowledgment
We acknowledge your report within 72 hours of receipt
5-day assessment
Initial assessment and severity classification within 5 business days
Credit with permission
We recognise researchers in our Hall of Fame if you wish
Coordinated disclosure
We ask that you give us reasonable time to fix the issue before public disclosure. We will keep you informed of our progress and work with you on a disclosure timeline.
Contact
Get in touch
Use the right channel — we respond faster when requests reach the right team.