Security by default, not by policy.
The controls below are always on — not optional add-ons for enterprise tiers.
All data is stored and processed in the United States. Compute runs on Render (US-East), key and usage data on Xata (us-east-1). No data leaves US jurisdiction.
All API traffic is encrypted with TLS 1.3. HTTPS is required — plain HTTP connections are rejected. Cloudflare handles edge termination with HSTS enabled on all endpoints.
API keys are hashed using bcrypt before storage. Plaintext keys are never written to disk or logged. Key revocation takes effect within 60 seconds across all nodes.
Every API key has enforced rate limits (10–1,000 req/min depending on tier). Brute-force attacks are blocked at the edge by Cloudflare. There are no shared limits across accounts.
Where we stand.
We report our compliance status honestly — in progress means in progress.
Found something? Tell us.
If you discover a security vulnerability in GeoClear, please email [email protected] directly. We'll respond within 48 hours and give public credit for confirmed findings.
We ask that you give us reasonable time to investigate and remediate before public disclosure, and that you avoid accessing or modifying data belonging to other customers during research. We do not pursue legal action against researchers acting in good faith.
Questions about our security posture?
Our team is happy to discuss controls, data handling, and enterprise requirements.