Security
Security at NextAPI
We treat security as a first-class engineering requirement, not a checkbox. Here’s how we protect your data and your customers’ data.
Encryption
- TLS 1.3 for all API communication
- Argon2id hashing for API key storage
- HMAC-SHA256 signature for webhook payloads
- AES-256 encryption at rest for stored content
Access Control
- API key authentication with per-key scopes
- IP allowlist enforcement for enterprise accounts
- Rate limiting at API key and IP level
- Admin routes protected with dedicated token + rate limits
Monitoring & Observability
- Real-time anomaly detection on API traffic
- Prometheus + Grafana dashboards with alerting
- Structured logging with Loki (no PII in logs)
- OpenTelemetry distributed tracing
Infrastructure
- Cloudflare DDoS protection and WAF
- Isolated compute for Enterprise queue lanes
- Automated backups with point-in-time recovery
- Graceful shutdown for zero-downtime deployments
Compliance
- SOC 2 Type II (in progress — target Q3 2026)
- GDPR-compliant data processing
- Configurable data retention policies
- Configurable content moderation profiles
Responsible Disclosure
- Security vulnerabilities: security@nextapi.dev
- Bug bounty program (coming Q3 2026)
- 72-hour acknowledgment for all reports
- Public post-mortem for significant incidents
Subprocessors
Third-party services that process data on our behalf.
| Provider | Purpose | Location |
|---|---|---|
| Seedance (Bytedance) | Video generation model provider | China / Global |
| Clerk | Authentication & identity management | United States |
| Cloudflare | CDN, DDoS protection, DNS | Global |
| Aliyun (Alibaba Cloud) | Compute, database, storage | Hong Kong |