Trust & Transparency

Security & Compliance

Plain facts about how Password Pusher protects your data. No theatre, no filler — just what you need for your security review.

Last updated May 2026

What Password Pusher Is (and Isn't)

Password Pusher is a tool for secure, temporary distribution of sensitive information. It generates one-time links that automatically self-destruct after a configurable number of views or elapsed time, with full lifecycle audit logging.

Password Pusher is not a credential manager, password vault, or secrets store. It does not retain or manage credentials long-term. Data is ephemeral by design.

Open Source Ephemeral by Design Audit Logged Self-Hostable

Open Source Core, Pro Feature Superset

Password Pusher is available in three editions: OSS (fully open source), Premium, and Pro. All three share the same core application — including all encryption, data handling, expiry logic, and audit logging. This core is fully open source and independently auditable at github.com/pglombardo/PasswordPusher.

The Pro and Premium editions add feature-level capabilities on top of this core — such as team collaboration, custom domains, branding, file uploads, and policy enforcement. These additions are closed source. The security-critical architecture is the same across all editions.

Through our Feature Pipeline, Pro and Premium features are periodically released to the open source edition. Subscribers get early access to new capabilities while supporting continued open source development.

Encryption & Data Handling

Encryption at Rest

AES-256-GCM

Encryption in Transit

TLS 1.2+ (HTTPS enforced)

Data Retention

Ephemeral — auto-expires by views or time

After Expiry

Payload cryptographically destroyed

Push payloads are encrypted before storage using a unique derived key per field. When a push expires — either by reaching its view limit or time limit — the encrypted payload is permanently destroyed. There is no 'recycle bin' or soft delete. Metadata (audit logs) is retained according to account settings.

For detailed technical documentation on encryption implementation, key derivation, risk mitigation strategies, and file upload security, see our Security & Encryption documentation.

Infrastructure & Data Residency

Password Pusher operates two distinct data regions. Sensitive data provided in pushes and requests is processed solely within the chosen data region and is never transferred outside of that region.

🇪🇺

EU Region (eu.pwpush.com)

The EU instance processes and stores all push payloads, metadata, audit logs, and account data exclusively within the European Union.

Hosting Provider

DigitalOcean — Netherlands (EEA)

Data Center Location

Netherlands, EU

Backups Location

Netherlands, EU (DigitalOcean)

Data Transfer Outside EU

Push/request payload data: none. Billing data is processed by Stripe (US) under EU SCCs. Newsletter data by Buttondown (US) under EU SCCs.

🇺🇸

US Region (us.pwpush.com)

The US instance is hosted in the United States on DigitalOcean infrastructure. Push and request data is processed solely in the US and deleted upon expiration, with no transfers to other countries. Organizations requiring EU data residency should use eu.pwpush.com or self-host.

Certifications & Assurance

We believe in stating facts plainly. Here is exactly where Apnotic stands today:

What we have

Open source core — all security-critical code (encryption, data handling, expiry, audit logging) is shared across editions and independently auditable (GitHub)
Encryption at rest and in transit — AES-256-GCM + TLS 1.2+
EU data residency — dedicated EU instance with data stored exclusively in the EU
Ephemeral data model — payloads auto-expire and are cryptographically destroyed
Full audit logging — lifecycle tracking for every push
Self-hosting option — deploy on your own infrastructure under your own compliance controls
Data Processing Agreement — available on request

What we don't have yet

SOC 2 Type II
ISO 27001
HIPAA BAA (for the hosted service)
TISAX, CSA STAR, or similar third-party certifications
Published penetration test summary

Apnotic, LLC is an independent, bootstrapped company founded in 2024. We have not yet pursued formal compliance certifications for the hosted service. We take security seriously — but we won't claim badges we haven't earned.

If your vendor onboarding process requires SOC 2 or ISO 27001 certification, the hosted service may not meet your requirements today. We recommend self-hosting Password Pusher — this gives your organization full control over the compliance posture and allows certification under your own ISMS.

Self-Hosting for Full Compliance Control

Recommended for regulated industries

When you self-host Password Pusher, Apnotic is a software vendor — not a data processor. Your data never touches our infrastructure. You control encryption, access, retention, and compliance certification entirely within your own environment.

Password Pusher is available as a container image for deployment on your own infrastructure. Self-hosting is the recommended approach for organizations in regulated industries or with strict vendor compliance requirements.

We maintain detailed guidance for self-hosted compliance scenarios:

Data architecture & flow

Self-Hosted Data Architecture

SOC 2 positioning

Self-Hosted SOC 2 Position

ISO 27001 positioning

Self-Hosted ISO 27001 Position

HIPAA positioning

Self-Hosted HIPAA Position

With self-hosting, Password Pusher can operate within your existing SOC 2, ISO 27001, or HIPAA compliance scope. The guides above include control mapping, auditor Q&A, and data flow documentation.

Data Processing Agreement

A Data Processing Agreement is available for organizations using the hosted service (pwpush.com or eu.pwpush.com). We can provide:

Our standard DPA aligned with GDPR Article 28 requirements
Countersigned copies for your compliance documentation

To request a signed DPA, contact support@pwpush.com.

Self-hosted customers: When you self-host, Apnotic does not process your end-user data. A DPA is not required — Apnotic's relationship with you is as a software licensor, not a data processor. See our Data Architecture guide for details.

Subprocessors

The following subprocessors are used by the hosted service:

Subprocessor	Purpose	Location	EU Safeguards	Handles Push Data?
DigitalOcean	Application hosting, database & backups	Netherlands (EU) / United States	EEA adequacy (EU instance)	Yes — encrypted at rest
Stripe	Payment processing	United States	EU SCCs	No — billing data only
Buttondown	Email newsletter delivery	United States	EU SCCs	No — email address only
Brevo	Transactional email	France (EU)	EEA adequacy	No — email delivery only
Plausible Analytics	Privacy-focused website analytics	EU	EEA adequacy; no personal data collected	No — anonymous usage stats only

Key point for EU customers: Only DigitalOcean handles push/request payload data, and for the EU instance, this data is processed exclusively in the Netherlands. Stripe and Buttondown (both US-based) only process billing and email data respectively, under EU Standard Contractual Clauses. Brevo and Plausible are EU-based.

Subprocessor list last updated: May 2026. For the authoritative and most current list, see the EU Privacy Policy or US Privacy Policy.

Security Practices

Access Control

Production infrastructure access is limited to 2 individuals
All production access requires multi-factor authentication
Administrative access is logged

Development Practices

Source code publicly auditable on GitHub
Dependency vulnerability scanning via automated tooling
Container images published from CI with reproducible builds

Incident Response

Security issues can be reported to security@pwpush.com
We aim to acknowledge security reports within 2 business days

Security Contact

Questions about security or compliance?

Email support@pwpush.com — we respond to security inquiries within 2 business days.

For self-hosting guidance, see our deployment documentation.

Last updated: May 2026 · Apnotic, LLC

On this page