Encryption
All data in transit is protected with TLS 1.3. Data at rest is encrypted using AES-256. API keys and secrets are stored in hardware security modules (HSMs) and never accessible in plaintext by any employee.
Monitoring & Response
24/7 Security Operations Centre (SOC) monitoring. Automated anomaly detection on all API endpoints and authentication systems. Our incident response team maintains a target containment time of under 1 hour.
Found a vulnerability?
We take security reports seriously and appreciate the effort of security researchers who disclose vulnerabilities responsibly. If you've found a potential issue in our systems, please let us know before disclosing publicly.
Send a detailed description to security@courier.com. Encrypt sensitive reports using our PGP public key (available on request). We will acknowledge receipt within 24 hours and provide status updates throughout our investigation.
Our commitment: We will not pursue legal action against researchers who follow responsible disclosure guidelines. We offer recognition (and sometimes bounties) for high-severity findings.