How we keep your data safe.
What we build on, what we run, and how we handle your data. Written so a security reviewer can skim it in two minutes.
Last reviewed: April 24, 2026
Built on audited infrastructure.
Decoy is not separately audited. The platforms underneath it are, and those controls are what your data rides on.
Workers, Workers KV, and Pages are in scope for Cloudflare's SOC 2 Type II attestation, ISO 27001 certification, and PCI DSS 4.0 Level 1 validation.
View their security pagePayments are handled by Stripe, a PCI DSS Level 1 certified service provider. Decoy never sees or stores raw card data.
View their security pageMagic links, billing notices, and team invites are delivered by Resend, which is SOC 2 Type II.
View their security pageHow we protect your account.
Each of these is in the code today, not a roadmap item.
- Passkey-first authentication via WebAuthn. We never store passwords.
- Session cookies are HttpOnly, Secure, and SameSite, with a 30-day lifetime.
- HSTS enforced with max-age=31536000 and includeSubDomains.
- Content Security Policy with per-request nonces; frame-ancestors denied.
- Webhooks are HTTPS-only and HMAC-verified where the receiver supports it.
- Per-token and per-IP rate limits on every public endpoint.
- One-click unsubscribe (RFC 8058) on every non-transactional email.
What we hold and for how long.
Time-to-live values are set on the underlying records. Expired data is removed automatically. Deleting your account removes all of the below.
Subprocessors.
Everyone Decoy sends customer data to, and why.
Report a vulnerability.
If you've found a security issue in Decoy, email [email protected]. We'll confirm receipt within one business day. Good-faith research conducted under this policy is welcome. We won't pursue legal action for reports that avoid privacy violations, data destruction, or service disruption.
Machine-readable contact: /.well-known/security.txt
General security questions: [email protected]