Passmint
TemplatesDocsPricingBlog
Log inGet started
Passmint

Apple and Google Wallet passes from one API. Built for people who ship.

Product
  • Pass Designer
  • Developers
  • Distribution
  • Analytics
  • Templates
  • Pricing
Developers
  • Documentation
  • API reference
  • Node SDK
  • Webhooks
Company
  • Changelog
  • About
  • Contact
  • Support
  • Security
  • Terms
  • Privacy
Social
  • GitHub
  • X

© 2026 Passmint. Built for indie makers.

Apple Wallet & Google Wallet, one API.

Skip to content

Trust

Security at Passmint

Last updated April 24, 2026

Report a vulnerability→

Contents

  1. 01Overview
  2. 02Data handling
  3. 03Credentials & certificates
  4. 04Encryption
  5. 05Infrastructure
  6. 06Access control
  7. 07Application security
  8. 08Availability
  9. 09Compliance
  10. 10Subprocessors
  11. 11Vulnerability disclosure
  12. 12Contact

01

Overview

Passmint is a developer platform for issuing Apple Wallet passes. This page describes how we handle customer and end-user data, how we protect customer-provided signing credentials, and the infrastructure we run on. It is updated as our security posture changes — see the timestamp above.

Enterprise buyers can request our full security package — DPA, current subprocessor list, and responses to common security questionnaires — by emailing security@passmint.com.

02

Data handling

Passmint processes three kinds of customer data, each with a different retention policy.

Account data
Organization details, user accounts, API keys, billing contacts.
Pass content
Templates you author and the field values, barcodes, and assets you issue into passes.
Pass-holder data
End-user information you pass through for pass issuance — typically name, email, or whatever fields your template defines.

What we do not store

  • Payment card numbers. Billing is handled directly by Stripe; Passmint never receives card data.
  • End-user passwords. Passmint has no end-user accounts — pass holders interact with Apple Wallet, not Passmint.
  • Pass-holder data beyond what you send us. We do not enrich, purchase, or collect additional end-user information.

Data residency

All customer data is stored in the United States. The web tier and API run on Vercel's US regions, the primary application database is hosted by PlanetScale in the US, and encrypted credential material and pass assets are stored in a single AWS US region.

Retention

DataRetention
Account data (organization, users, billing)Retained for the life of the account; deleted within 30 days of account closure.
Templates and issued passesCustomer-controlled. Deleted immediately on request via the dashboard or API.
API request logs30 days, then purged.
Webhook delivery logs30 days, then purged.
Authentication & security audit events365 days.
Encrypted database backups30 days.

03

Credentials & certificates

The most sensitive material Passmint holds is your Apple PassKit signing certificate. Apple requires every pass to be signed with a certificate issued to your Apple Developer team, so the private key that signs on your behalf must be available to our issuing service at runtime. We treat that constraint with care.

How private keys are stored

When you upload a signed .cer from Apple, the corresponding private key (PKCS#8 PEM) is envelope-encrypted before it ever touches durable storage:

  1. A fresh 256-bit data encryption key (DEK) is generated in memory for the upload.
  2. The private key is encrypted with AES-256-GCM using that DEK (12-byte IV, 16-byte authentication tag).
  3. The DEK is wrapped by our AWS KMS customer master key. The plaintext DEK is zeroed in memory immediately after wrapping.
  4. The encrypted private key and the KMS-wrapped DEK are persisted to the database. Neither value is useful without access to the KMS key.

The signer certificate (.cer) and Apple's WWDR intermediate are stored in S3. These are public certificates, not secrets.

Who can access them

No Passmint employee has standing access to customer private keys. kms:Decrypt on the customer master key is granted only to the IAM principals the pass-issuing service runs as. Decryption happens on demand during pass signing, in process memory; plaintext material is never written to logs or durable storage.

Rotation

You can generate a new CSR at any time from the dashboard, sign it in your Apple Developer account, and upload the new .cer to replace the existing certificate. Coordinated rotations (for example, scheduled cutovers or suspected key compromise) are currently support-assisted — email security@passmint.com and we'll help.

On account deletion

Encrypted key material and the corresponding KMS-wrapped DEKs are hard-deleted within 30 days of account closure. After that window the material is unrecoverable, including by Passmint.

04

Encryption

All customer data is encrypted at rest and in transit. Signing credentials receive an additional envelope-encryption layer above the storage-level encryption.

At rest
AES-256 at the storage layer for PlanetScale (database) and AWS S3 (pass assets). Encrypted database backups inherit the same encryption.
In transit
TLS 1.2 minimum; TLS 1.3 negotiated where supported. Modern AEAD cipher suites only (AES-GCM, ChaCha20-Poly1305). HSTS enabled on passmint.com and api.passmint.com.
Credentials
Envelope encryption: AES-256-GCM with per-secret DEKs wrapped by AWS KMS. See Credentials & certificates.
Webhook signing
HMAC-SHA256 over {timestamp}.{body} using a per-endpoint 192-bit secret. Verified with a 5-minute replay tolerance.
API key storage
Keys are hashed with SHA-256 before persistence. The plaintext key is shown once at creation and never stored.
Key management
A single AWS KMS customer master key in one US region wraps all per-secret DEKs. KMS decrypt permissions are restricted to the pass-issuing service's runtime IAM principals.

05

Infrastructure

Passmint runs on managed infrastructure from Vercel, AWS, and PlanetScale. We do not operate our own servers.

Web & API hosting
Vercel (US regions). Functions run on Fluid Compute with standard Node.js runtimes.
Application database
PlanetScale (US region). TLS-only. No public ingress — connections use PlanetScale-managed endpoints authenticated with per-environment credentials.
Object storage
AWS S3 (US region). Per-organization prefixes; access restricted to the issuing service's IAM principals.
Key management
AWS KMS customer master key in a single US region.
DDoS & WAF
Vercel platform-level DDoS mitigation and WAF protect all customer-facing endpoints.
Secrets
Environment-scoped secrets in Vercel; provider secrets (AWS, PlanetScale, Stripe, Resend) are issued per environment and rotated on departure of any engineer with access.

06

Access control (internal)

Passmint is a small team. We keep the surface area of production access correspondingly small.

  • All employee access to production systems — Vercel, AWS, PlanetScale, Stripe, Resend, email, source control — is behind SSO with MFA required.
  • Production database access is restricted to engineering staff with an operational need. Application code accesses the database through environment-scoped credentials, not through personal accounts.
  • Provider-native audit logs (Vercel, AWS CloudTrail, PlanetScale audit log) record console and API access to production resources.
  • Access is revoked on offboarding as part of a documented checklist; provider credentials tied to the departing engineer are rotated.

07

Application security

The Passmint API is a small, opinionated surface. These are the guarantees we make today, and the ones we explicitly do not yet make.

API authentication
Bearer API keys with mode prefixes — pmk_test_… and pmk_live_…. Test and live data are separated at the middleware layer. Keys are SHA-256-hashed at rest; the plaintext is returned once at creation. Keys are revocable and support expiry timestamps.
Scoped permissions
All keys today have full access within their organization. Scoped API tokens are on the roadmap; flag interest to us if this blocks you.
Webhook signatures
Every delivery is signed with HMAC-SHA256 and sent in a passmint-signature header of the form t=…,v1=…. We recommend verifying the signature and rejecting timestamps older than five minutes.
Delivery retries
Failed webhook deliveries are retried with exponential backoff over roughly 24 hours (up to 7 attempts) before being marked dead. Each attempt has a 10-second timeout.
Input validation
Pass fields are validated server-side against the template schema. Asset uploads are size-limited and content-type checked before being written to S3.
Rate limiting
Platform-level rate limits and abuse protections are provided by Vercel today. Per-tenant application rate limits are on the roadmap.
Dependencies
TODO — confirm dependency scanning setup (Dependabot, pnpm audit in CI, SAST tooling).

08

Availability & reliability

Pass issuance is a real-time user-facing surface — a pass that fails to install is visible to your end user immediately — so availability is a first-class concern.

Status page
status.passmint.com
Uptime target
TODO — commit to a public SLA (e.g. 99.9% monthly).
Backups
PlanetScale's managed backup and point-in-time restore applies to the primary application database. Encrypted credential material is backed up as part of the database. Retention: 30 days.
Restore testing
TODO — document cadence of restore drills.
Incident communication
Incidents affecting customer data or availability are posted to the status page. For incidents that involve customer personal data, affected customers will be notified via the registered account-owner email within 72 hours of confirmation.

09

Compliance & attestations

We believe the honest version of this section is more useful than the aspirational one.

Passmint does not currently hold SOC 2, ISO 27001, or PCI attestations. We operate to a SOC 2–aligned control set internally and will pursue formal audit as customer demand justifies the investment. If a prospective customer's procurement process requires a specific attestation, tell us — that is the signal that moves this up the roadmap.

GDPR

Passmint acts as a data processor for the pass-holder data you submit and as a controller for your account data. A DPA is available on request at security@passmint.com. Our Privacy Policy describes how we process personal data. See the subprocessor list below; material changes will be announced here before they take effect.

Penetration testing

TODO — no external penetration test has been performed yet. Replace this paragraph once a test has been commissioned and a summary is available on request.

10

Subprocessors

The third parties below process customer data on our behalf. Material additions will be announced on this page before they take effect.

VendorPurposeData processedRegion
VercelWeb and API hosting, edge compute, product analyticsCustomer request/response data, aggregated usage analyticsUS
PlanetScalePrimary application databaseAccount data, templates, passes, request and webhook logsUS
AWSKey management (KMS) and object storage (S3)KMS-wrapped DEKs, encrypted signing keys, pass assetsUS
StripeBilling and payment processingCustomer billing contact; payment methods processed directly by Stripe and never stored by PassmintUS / Global
ResendTransactional email deliveryCustomer email addresses and email contentUS
AppleApple Wallet pass distributionPass payloads and push registrations required by the PassKit protocolGlobal
GoogleGoogle Wallet pass distributionPass payloads and issuance metadata required by Google WalletGlobal

11

Vulnerability disclosure

We welcome reports from security researchers. The fastest path to a fix is a clear report sent to the address below.

Contact
security@passmint.com
First response
Within 2 business days.
What to include
Clear reproduction steps, affected endpoints or artifacts, and the earliest time we can contact you for follow-up.
Bug bounty
No formal program today. We recognize significant reports case-by-case.

Safe harbor

Passmint will not pursue legal action against researchers who act in good faith, give us a reasonable window to remediate before public disclosure, avoid privacy violations and service disruption, and do not access or modify customer data beyond the minimum needed to demonstrate the issue.

12

Contact

The right address depends on what you're asking about.

Security questions
security@passmint.com
Privacy requests
privacy@passmint.com
Enterprise prospects
Email security@passmint.com to request the DPA, subprocessor list, and our responses to common security questionnaires.