Security

A compliance platform has to be the most defensible thing you run.

Joopler protects itself, isolates tenants cryptographically, and produces evidence anyone can verify, without ever needing access to our systems.

SOC 2HIPAAISO 27001PCI DSSISO 42001NIST 800-53OSCAL-native
How we secure ourselves

Cryptographic isolation. Immutable storage. Least privilege everywhere.

Per-tenant KMS keys

Every tenant gets its own asymmetric key. Evidence signatures are unforgeable across tenants.

Tenant isolation

Row-level isolation at the database layer, plus per-tenant object storage prefixes and IAM boundaries.

WORM evidence storage

All evidence is written to S3 Object Lock in compliance mode. Immutable, retention-locked, and audit-logged.

Least-privilege connectors

Read-only, narrowly-scoped credentials for every integration. No standing admin access, ever.

Hash-chained ledger

Every evidence artifact is chained by hash. Any modification breaks the chain and is visible on the next verification.

RFC-3161 timestamps

Independent trusted timestamp authority that proves when an artifact existed without trusting Joopler's clock.

Evidence defensibility

Why an auditor can trust a Joopler artifact without trusting Joopler.

A signed, timestamped, chained artifact is a self-contained proof. It doesn't depend on Joopler being online, honest, or even in business. Anyone with the tenant's public key can walk through the four checks below and reach the same verdict.

Visit our Trust Center
  1. 01

    Verify the hash

    Recompute SHA-256 over the artifact body. It must match the stored hash exactly.

  2. 02

    Verify the timestamp

    Validate the RFC-3161 token against the trusted TSA's certificate chain.

  3. 03

    Verify the signature

    Check the signature over (hash, timestamp) using the tenant's published public key.

  4. 04

    Verify the chain

    Walk the tamper-evident ledger, every artifact must link cleanly to the previous one.

Responsible disclosure

Found a vulnerability? Email security@joopler.com. We acknowledge within one business day and work with reporters in good faith.

Ready to see verifiable compliance?

Start free. Connect your stack. Share auditor-defensible evidence in days, not months.