Security Scorecard
Security ratings from A to F for 160 developer services. We check SOC2, HIPAA, and GDPR certifications, encryption at rest and in transit, MFA enforcement, SSO availability, audit logging, bug bounty programs, and public breach history. Know before you trust them with your data.
Row-level security built-in. Self-hosted option for full control.
Google Cloud security. BAA available for HIPAA. Security rules DSL.
Auth provider — security is their core product. Built-in bot detection.
PCI DSS Level 1. Best-in-class payment security. Radar for fraud.
Data scrubbing for PII. Self-hosted option. BAA for HIPAA.
Vitess-based. Non-blocking schema changes reduce incident risk.
30-day data retention for abuse monitoring (can opt out on Enterprise). Strong security posture from safety-focused culture.
Enterprise-grade auth. Okta parent company adds security depth. Adaptive MFA, bot detection built-in.
Enterprise-grade. HIPAA-eligible logs. FedRAMP authorized. Agent runs with host access — ensure proper scoping.
HIPAA BAA available on Pro and Enterprise. SOC2 Type II. RBAC granular controls. Open-source core allows self-hosted if needed.
Redis Enterprise features: RBAC, TLS mutual auth, CRDT-based Active-Active. HIPAA BAA on Premium. PCI DSS compliant.
Distributed SQL with built-in encryption. SOC2 Type II. HIPAA BAA on Dedicated. Column-level encryption available. FedRAMP in progress.
PCI DSS Level 1. HIPAA BAA available. Real-time log streaming. WAF powered by Signal Sciences. Edge Compute runs in isolated sandbox.
FedRAMP authorized. PCI DSS Level 1. Largest CDN network. Prolexic DDoS protection. Enterprise-grade WAF and bot management.
Enterprise SSO/SCIM provider — security is core product. SOC2 Type II. Directory Sync with SCIM 2.0. Admin Portal for customer self-service. Bug bounty via HackerOne.
SOC2 Type II, HIPAA BAA on Enterprise. Audit log with full flag change history. RBAC with custom roles. Relay Proxy for air-gapped environments. FedRAMP authorized.
SOC2 Type II, HIPAA BAA on Dedicated Tier. MySQL-compatible distributed SQL. RBAC with fine-grained column-level permissions. Data encryption via AWS KMS or GCP CMEK.
SOC2 Type II. HIPAA BAA on Dedicated. Distributed PostgreSQL-compatible. Column-level encryption. VPC peering for network isolation. Audit logging on all tiers.
SOC2 Type II. Passwordless-first approach reduces credential stuffing risk. Device fingerprinting built-in. SSO and SCIM on Enterprise. B2B auth focus.
SOC2 Type II, HIPAA BAA on Enterprise. EU data residency available. PII governance controls. RBAC with custom roles. ISO 27001 certified.
Enterprise SIEM leader. FedRAMP authorized. PCI DSS compliant. Role-based access with granular index-level permissions. Splunk Cloud is SOC2 Type II and ISO 27001.
SOC2 Type II, HIPAA BAA on Enterprise. Elasticsearch encryption at rest via AES-256. RBAC with field-level security. Self-hosted option for full control.
SOC2 Type II, ISO 27001, FedRAMP authorized. HIPAA BAA available. OneAgent runs with host access — scope permissions carefully. Data residency options for EU.
SOC2 Type II, HIPAA BAA on Enterprise. Built on PostgreSQL — inherits PG security model. VPC peering available. Column-level encryption via pgcrypto.
SOC2 Type II, HIPAA BAA on Dedicated. OLAP database. RBAC with row-level security policies. IP whitelisting. Private endpoints via AWS PrivateLink or GCP Private Service Connect.
Industry-standard secrets manager. SOC2 Type II, FedRAMP authorized (HCP Vault). Dynamic secrets, encryption-as-a-service, PKI. Self-hosted or HCP managed. Audit log with detailed request tracing.
SOC2 Type II. State files encrypted at rest. Sentinel policy-as-code for governance. SSO on Business. Audit log tracks all state and plan operations. Run tasks for pre-apply checks.
SOC2 Type II. mTLS for all worker-to-server communication. Data converter encryption for payload-level security. SSO via SAML. Namespace-level isolation. Audit log on all plans.
SOC2 Type II, ISO 27001, HIPAA BAA on Enterprise. SAML SSO on Business+. Audit log on Enterprise. Board-level sharing controls. Data residency in EU available.
SOC2 Type II, ISO 27001. Self-managed option for full control. SAML SSO on Premium+. Audit events on Premium+. Transparent security handbook published publicly.
Inherits Cloudflare security posture. S3-compatible. Server-side encryption at rest. Access via Workers bindings or API tokens. Zero egress fees. SOC2 Type II.
PCI DSS Level 1. SOC2 Type II. Bug bounty via HackerOne. 2020 insider threat was contained and employees terminated. Staff permissions model is robust.
SOC2 Type II, HIPAA BAA on Enterprise. ISO 27001. SAML SSO. Granular RBAC with custom roles. Audit log on all plans. Content versioning with rollback capability.
SOC2 Type II, ISO 27001. SAML SSO on Enterprise. Audit log via API. Field-level data redaction at ingest via processors. Strong opinionated security defaults. No HIPAA BAA.
SOC2 Type II. mTLS for all worker-to-server connections. Data converter for payload-level encryption. SAML SSO. Namespace-level isolation. Audit log on all plans. No HIPAA BAA.
SOC2 Type II, ISO 27001. Enterprise SSO/SCIM is the core product. SCIM 2.0 provisioning. Admin Portal for customer self-service. Bug bounty via HackerOne. No HIPAA BAA.
SOC2 Type II. Passwordless-first reduces credential stuffing risk. Device fingerprinting built-in. SCIM on Enterprise. B2B auth focus. No HIPAA BAA. No bug bounty.
SOC2 Type II, HIPAA BAA on Business+. Part of Twilio — inherits enterprise security posture. Audit log for all workspace changes. RBAC with workspace-level access control. Destination-level data filtering.
SOC2 Type II. Secrets encrypted at rest with AES-256-GCM. All API calls audited. SSO on Team+. Immutable audit log — cannot be deleted. No HIPAA BAA. CLI, GitHub Actions, and Kubernetes integrations.
SOC2 Type II. SAML SSO on Enterprise. Audit log for all developer actions. IP allowlisting on Enterprise. Credentials for data warehouse connections encrypted with per-customer keys. Bug bounty via HackerOne.
SOC2 Type II, HIPAA BAA on Business+. Twilio parent company provides deep enterprise security posture. Workspace RBAC. Audit log for all changes. Destination-level data controls. Bug bounty via HackerOne.
Branching creates isolated Postgres instances per PR. Each branch has separate credentials. Inherits Supabase's SOC2 and encryption. RLS applies per branch.
SOC2 Type II. Role-based access control for GraphQL. JWT and webhook auth modes. Allow-list for production queries. API rate limiting. Self-host for full control.
No bug bounty program. SSO only on Enterprise. Deployment protection available.
Client-side field-level encryption available. 2023 incident was contained.
Self-hosted option for full data control. EU cloud available.
Cloudbleed was severe but quickly patched. WAF and DDoS protection built-in.
API data not used for training by default. Enterprise plan offers data processing agreement. 2023 leak was patched quickly.
Decent security posture. SSO on Business plan. No bug bounty. Deploy previews can leak sensitive data if misconfigured.
Serverless Postgres. SOC2 Type II attained 2024. No HIPAA BAA. Branching model means dev branches share infra — scope access carefully.
SOC2 Type II. SSO on Business plan. Audit log available. No HIPAA. API tokens are long-lived — rotate regularly.
2022 breach was phishing-based, not infra failure. HIPAA BAA available. PCI DSS Level 1. Watch for account takeover via phone number porting.
Open-source secrets manager. End-to-end encryption — Infisical can't read your secrets. Self-hosted option available. No SOC2 yet (in progress).
SOC2 Type II achieved 2024. Event payloads encrypted at rest. SSO on Pro plan. No HIPAA BAA. Function execution logs retained 7 days.
V8 isolate sandboxing provides strong runtime security. SOC2 Type II. No SSO or audit log yet. Deno's secure-by-default permissions model is a plus.
SOC2 Type II. REST-based access with per-key token scoping. SSO on Pro. Data encrypted with AES-256 at rest. No HIPAA BAA.
SOC2 Type II. No HIPAA BAA. 2020 billing incident was minor and quickly contained. VPC and firewall controls available. Cloud HSM not available.
SOC2 Type II. Serverless functions run in deterministic sandbox. Row-level access control via helper functions. No HIPAA BAA. Audit log on Pro.
SOC2 Type II. Built on PostgreSQL. Branch-per-environment model. SSO on Business plan. No HIPAA BAA. API keys are scoped per-database.
SOC2 Type II. DKIM/SPF/DMARC enforcement. 45-day message retention. SSO available. No HIPAA BAA. Strict anti-spam policy — accounts reviewed manually.
Open-source with self-hosted option. No SOC2 on cloud (in progress). SSO available on Scale plan. Audit log tracks flag changes. RBAC per-project.
SOC2 Type II achieved 2024. Open-source with self-hosted option. SSO on Enterprise. Calendar data contains meeting details — scope access carefully. OAuth integrations require careful permission scoping.
SOC2 Type II on n8n Cloud. Self-hosted option for full control. Workflows store credentials for third-party services — credential encryption is critical. SSO on Enterprise.
SOC2 Type II. S3-compatible API. Server-side encryption with SSE-B2 or SSE-C. No SSO — account-level auth only. Application keys with bucket-scoped permissions.
SOC2 Type II, HIPAA BAA on Enterprise. 2023 staging breach did not expose customer telemetry data. FedRAMP Moderate. SAML SSO on Pro+.
SOC2 Type II. Time-series database. API token scoping per bucket. SSO on Enterprise. No HIPAA BAA. Self-hosted OSS option for compliance-sensitive workloads.
Service mesh and service discovery. mTLS between services. ACL system with token-based auth. Self-hosted requires manual TLS setup for gossip protocol. HCP Consul is SOC2 Type II.
API gateway with plugin-based security. Rate limiting, OAuth2, mTLS plugins. Kong Konnect (cloud) is SOC2 Type II. Self-hosted OSS requires manual security hardening.
SOC2 Type II. State encrypted at rest. Secrets encrypted per-stack with configurable providers (AWS KMS, etc.). SSO on Enterprise. No HIPAA BAA. Self-managed backends available.
SOC2 Type II. Stores OAuth tokens for 7000+ integrations — high-value target. SSO on Company plan. Audit log on Enterprise. No HIPAA BAA. Zap data retained 30 days.
SOC2 Type II. SAML SSO on Enterprise. Audit log on Enterprise. No HIPAA BAA. Content is not end-to-end encrypted — Notion can access workspace content. API tokens are long-lived.
SOC2 Type II. SAML SSO on Organization plan. Audit log on Enterprise. No HIPAA BAA. Design files may contain sensitive mockups — control sharing and link access settings.
SOC2 Type II, ISO 27001. Atlassian Guard (formerly Access) for SSO and MFA enforcement. Audit log via Atlassian Admin. No HIPAA BAA. Cloud vs Data Center security models differ significantly.
Atlassian product — shares Atlassian Guard for SSO and MFA. SOC2 Type II. No HIPAA BAA. Audit log via Atlassian Admin. IP allowlisting on Premium.
SOC2 Type II, HIPAA BAA available. S3-compatible storage. Server-side encryption AES-256. IAM with bucket policies. SSO on Enterprise. No egress fees reduces cost-driven security shortcuts.
SOC2 Type II, PCI DSS Level 1. ISO 27001. SSO on Enterprise. API tokens with OAuth scoping. No bug bounty program. WAF and DDoS protection included.
SOC2 Type II. SAML SSO on Business+. Audit log available. No HIPAA BAA. API tokens with per-space scoping. Content delivery via CDN with token-based preview access.
SOC2 Type II. SAML SSO on Enterprise. Audit log on Enterprise. Bug bounty via HackerOne. No HIPAA BAA. Site-level publishing permissions. Custom code injection requires trust in editors.
SOC2 Type II achieved 2024. LPU inference platform. API keys with org/project scoping. SSO on Enterprise. No HIPAA BAA. Inputs/outputs not retained for training per default policy.
SOC2 Type II. Serverless GPU compute. gVisor sandboxing for function isolation. Secrets encrypted via cloud KMS. SSO on Team plan. No HIPAA BAA. Volumes encrypted at rest.
SOC2 Type II, ISO 27001, HIPAA BAA on Enterprise Grid. SAML SSO. Enterprise Key Management for customer-managed encryption keys. Audit logs API. Two notable breaches in history.
SOC2 Type II. Event-driven function platform. Event payloads encrypted at rest. SSO on Pro+. Audit log on Pro. No HIPAA BAA. Function logs retained 7 days on standard plans.
Open-source runtime with secure-by-default permissions model (--allow-net, --allow-read, etc.). Bug bounty via huntr. Significantly safer default than Node for untrusted code. Deno Deploy is separately certified.
SOC2 Type II. SAML SSO on Enterprise. Document-level access control via custom roles. Bug bounty via HackerOne. Content Lake encrypted at rest. EU data residency available.
SOC2 Type II. Built on ClickHouse. Token-based auth with row-level security policies. SSO on Enterprise. EU and US data residency. No HIPAA BAA. Strong audit logging via Service Data Sources.
SOC2 Type II achieved 2024. LPU inference with no training on paid API data. API key scoped per project. SSO on Enterprise. No HIPAA BAA. No bug bounty program.
SOC2 Type II. gVisor container sandboxing. Secrets managed via cloud KMS. SSO on Team plan. Function logs accessible per-invocation. No HIPAA BAA. No bug bounty.
EU-hosted (Hetzner). GDPR-compliant by design — no personal data collected. No cookies, no IP storage. No SOC2 (small company). Self-hosted option for maximum control.
SOC2 Type II. EU and US data residency. SSO on Team plan. Audit log for status page and alert changes. No HIPAA BAA. No bug bounty.
SOC2 Type II. 2024 incident prompted rotation of user tokens and security improvements. Bug bounty available. Private model repos and inference endpoints available. No HIPAA BAA. SSO on Enterprise Hub.
SOC2 Type II (Airbyte Cloud). Open-source self-hosted option for full control. RBAC for workspace members. Secret management via AWS Secrets Manager on Cloud. No HIPAA BAA.
SOC2 Type II (Hasura Cloud). Row-level security via Hasura permissions inherited from PostgreSQL RLS. JWT and webhook auth modes. Audit log on Enterprise tier. No HIPAA BAA. Self-hosted option.
SOC2 Type II, HIPAA BAA on Enterprise. 2022 phishing breach was via Okta; affected 27 customers. ISO 27001 certified. Self-hosted option for regulated industries. Bug bounty via HackerOne.
SOC2 Type II, ISO 27001. SAML SSO on Team+. Audit log via Activities API. No HIPAA BAA. API key and OAuth token auth. Content delivery via CDN. No bug bounty.
SOC2 Type II. SAML SSO on Enterprise. Document-level access control. Bug bounty via HackerOne. Content Lake encrypted at rest. EU data residency available. No HIPAA BAA.
SOC2 Type II. PostgreSQL-based. Branch-per-environment model reduces blast radius. SSO on Business. No HIPAA BAA. API keys scoped per-database.
Open source API key management. Keys hashed at rest. Rate limiting built-in. Per-key usage audit logs. No SOC2 yet. Self-host for full control.
Security SDK — rate limiting, bot detection, email validation in your app. Open source core. No SOC2. No data leaves your infra on self-host.
Open source auth. Passwords bcrypt-hashed. OAuth and magic links. Self-host for data control. No SOC2 yet. SSO on paid plan.
Passkey-first — WebAuthn by default eliminates password vulnerabilities. Open source. FIDO2 certified. Passkeys inherently phishing-resistant.
SOC2 Type II (cloud). LLM traces encrypted at rest. Self-host — no prompts leave your infra. SSO on Teams. API key scoped per project.
SOC2 Type II. Data not used for training. SSO on Enterprise. Wafer-scale chip — isolated compute per request.
SOC2 Type II. Row-level access via functions. All queries server-side. SSO on Pro+. AES-256 at rest.
Self-hosted auth library. Security depends on your deployment. Passwords bcrypt-hashed. MFA and SSO built-in. No cloud = no vendor breach risk. You own your security posture.
Code library — security is your responsibility. Built-in CSRF protection, secure headers middleware. No data handling. Runs in V8 isolates on edge = sandboxed by default.
SOC2 Type II. Data not used for training. Custom LPU hardware — isolated compute. SSO on Enterprise. API key rotation supported.
Built-in structured auth middleware. Automatic TLS. Cloud offering has infrastructure-level security. Open source framework — audit the code. DPA available.
CLI tool — no network, no data storage, no attack surface. Runs locally. Rust memory safety. Supply chain risk minimal — single binary, no npm dependencies at runtime.
CLI tool — state file encryption supported. Linux Foundation governance. State files may contain secrets — always encrypt at rest. Remote state backends inherit their provider's security posture.
SOC2 Type II. ClickHouse-based. Per-token API access scoping. SSO on Enterprise. EU data residency. Row-level security on published endpoints.
SOC2 Type II achieved 2025. DKIM/SPF/DMARC support for email auth. API key scoped per domain. No SSO yet. Webhook signature verification.
SOC2 Type II. 2024 token exposure was disclosed and patched quickly. SSO on Enterprise. Content served via CDN with DDoS protection.
SOC2 Type II. SAML SSO on Enterprise. Content API with token-scoped access. Document-level permissions. EU data residency available.
SOC2 Type II. Serverless Postgres with IP allow-listing. Branch credentials isolated. Connection pooling via PgBouncer. No HIPAA BAA. Per-branch access control.
SOC2 Type II. Wafer-scale chip provides hardware-level compute isolation. Data not used for training. SSO on Enterprise. API key management with rotation.
SOC2 Type II. Custom LPU hardware. Data not retained after response. SSO on Enterprise. Per-key rate limiting. No fine-tuning = no stored model data.
No SSO. No audit log. Good basics but missing enterprise features.
Young company, no SOC2 yet. No SSO or audit log. DKIM/SPF support.
Docker-based security model. No SSO or audit log. Private networking via WireGuard. Smaller team = slower security patches.
Young company, no SOC2 yet. Edge SQLite via libSQL. No SSO or audit log. Data can be replicated globally — know where your data lives.
SOC2 Type II achieved 2023. No SSO, no audit log, no bug bounty. Deploy previews inherit production env vars if misconfigured.
Self-hosted platform — you own the infra and all compliance. No cloud certifications apply. Security is entirely your responsibility. SSH key management critical.
Open-source with self-hosted option. No SOC2 yet (early-stage). No SSO or audit log on cloud plan. Self-host for full control.
German company with strict GDPR compliance. No SOC2 or HIPAA. No managed encryption at rest — bring your own. No SSO or audit log. Great value but security is DIY.
Cloud service launched 2024. No SOC2 yet. Built on PostgreSQL so inherits some data-at-rest guarantees. Self-hosted option for compliance-sensitive workloads.
Early-stage email marketing platform. No SOC2 yet. No SSO or audit log. DKIM/SPF support. Basic API key auth — no scoped tokens.
Self-hosted headless CMS — security depends on your infrastructure. Payload Cloud is young with no SOC2 yet. Built-in access control with field-level permissions. Auth uses local strategy by default.
Self-hosted with full control. Directus Cloud has no SOC2. SSO via OAuth/SAML available. Granular role-based access control. Activity log for all data changes.
Globally distributed S3-compatible object storage. Young service — no SOC2 yet. Integrated with Fly.io. Data replicated to edge locations — understand data residency implications.
Self-hosted S3-compatible storage — you own all compliance. SSE-S3 and SSE-KMS encryption. LDAP/AD/OIDC integration. Audit log with webhook targets. Security is entirely your responsibility.
Self-hosted reverse proxy and ingress controller. Auto TLS via Let's Encrypt. Dashboard has basic auth — use middleware for proper auth. No built-in audit log. Traefik Enterprise adds SSO and RBAC.
2023 breach was severe — required all customers to rotate secrets. SOC2 Type II. OIDC token auth for cloud providers reduces secret exposure. SSO on Scale plan.
Self-hosted GitOps tool. SSO via Dex/OIDC. RBAC with project-level isolation. Audit log built-in. 2022 CVE was patched quickly. Secrets management requires external integration (Vault, Sealed Secrets).
Self-hosted Kubernetes management. SAML/OIDC SSO. RBAC with cluster/project/namespace scoping. Audit log for API calls. CIS benchmark scanning built-in. Security depends on your infrastructure.
Self-hosted Docker/K8s management UI. LDAP/OAuth SSO on Business Edition. RBAC with team-based access. Audit log on Business Edition. Runs with Docker socket access — high privilege surface.
French cloud provider with strong GDPR stance. ISO 27001 certified. No SOC2. No SSO — account-level auth only. Managed encryption via Secret Manager. Data sovereignty in EU.
SOC2 Type II, ISO 27001. 2021 fire was catastrophic for affected customers. IAM with SSO available. GDPR-compliant EU hosting. Backups must be configured to different DC explicitly.
Open-source BaaS. Self-hosted option for full control. Cloud service has no SOC2 yet. API key and JWT auth. Built-in abuse protection and rate limiting. Activity log on all plans.
Open-source Firebase alternative built on Hasura + PostgreSQL. No SOC2 yet. No SSO or audit log on cloud. Self-hosted option available. Row-level security via Hasura permissions.
Ghost(Pro) managed hosting. No SOC2. Self-hosted option for full control. Staff roles with limited permission model. No SSO on managed plan. API keys with content/admin separation.
No SOC2 yet. No SSO or audit log. GDPR-compliant. Sites served via Cloudflare CDN for DDoS protection. Team permissions with editor/viewer roles. Growing platform with maturing security posture.
SOC2 Type II. ML model hosting and inference. API token auth. No SSO or audit log on standard plans. Public model predictions are not private — use private deployments for sensitive data.
No SOC2. Bug bounty via HackerOne. 2FA available but not required. No SSO. Voice chat E2E encrypted via DAVE protocol since 2024. Not designed for enterprise/regulated workloads.
Open-source runtime. Security depends on your application code and dependencies. Lockfile (bun.lock) ensures reproducible installs. Audit subcommand checks for known vulns. No managed cloud product as of 2026.
ISO 27001 certified. GDPR-compliant, EU-hosted. No SOC2 Type II yet as of 2026. No bug bounty. Free tier data used for training — use paid tier for any sensitive workloads.
SOC2 Type II. Hosts open source models. API key auth — no scoped permissions. No SSO or audit log on standard plans. No HIPAA BAA. No bug bounty program.
SOC2 Type II. ML model inference. Public model predictions are not private — use private Deployments for sensitive data. No SSO or audit log. No HIPAA BAA.
PCI DSS Level 1 compliant (required as Merchant of Record). GDPR-compliant EU operations. No SOC2 Type II published. No bug bounty. Team logins have 2FA available. Fraud and dispute handling built-in.
Open source sync engine. Data synced to client — consider what you replicate. Shape-based sync rules control exposure. Self-host only.
Open source CRM. Self-host for sensitive data. Docker Compose. No SOC2. PostgreSQL encryption. GraphQL API auth via API keys.
EU-based Merchant of Record. Open source — audit the code yourself. No SOC2 yet. PCI compliance handled via Stripe underneath. Webhook signature verification.
Client-side Postgres in WASM. No server = no server breaches. Data stored in browser/Node.js. Security is your app's responsibility. No network attack surface.
Self-hosted only. PostgreSQL backend with standard encryption. No cloud = you control everything. Basic auth built-in. No SSO, no audit log. Add reverse proxy with TLS.
Linux Foundation fork of Redis. Self-hosted. TLS support. ACL-based auth. No managed service certification (use your cloud provider's certs). Default config has no auth — always enable requirepass.
Self-hosted PaaS. Security is entirely your responsibility. SSH key management critical. Dashboard has basic auth. No SOC2. Add Cloudflare Tunnel or VPN for production use.
No SOC2. GDPR compliant. Per-database auth tokens. Embedded replicas use local SQLite files — consider local storage security. Edge replication means data in multiple regions.
Very young project. No SOC2, no SSO, no audit log. Self-hosted only for production-grade security. Cloud beta has minimal compliance posture.
Self-hosted open-source metrics. No built-in auth or encryption — use reverse proxy with TLS. No audit log. Security depends entirely on your infrastructure and network policies.
Self-hosted — all security is your responsibility. Plugin ecosystem is a major attack surface. LDAP/SAML SSO via plugins. Credentials stored encrypted but master key management is critical.
Self-hosted single-binary BaaS. SQLite-based. No built-in TLS — use reverse proxy. No encryption at rest. Admin UI with basic auth. Activity log built-in. Security entirely your responsibility.