01
Overview
Passmint is a developer platform for issuing Apple Wallet passes. This page describes how we handle customer and end-user data, how we protect customer-provided signing credentials, and the infrastructure we run on. It is updated as our security posture changes — see the timestamp above.
Enterprise buyers can request our full security package — DPA, current subprocessor list, and responses to common security questionnaires — by emailing security@passmint.com.
02
Data handling
Passmint processes three kinds of customer data, each with a different retention policy.
- Account data
- Organization details, user accounts, API keys, billing contacts.
- Pass content
- Templates you author and the field values, barcodes, and assets you issue into passes.
- Pass-holder data
- End-user information you pass through for pass issuance — typically name, email, or whatever fields your template defines.
What we do not store
- Payment card numbers. Billing is handled directly by Stripe; Passmint never receives card data.
- End-user passwords. Passmint has no end-user accounts — pass holders interact with Apple Wallet, not Passmint.
- Pass-holder data beyond what you send us. We do not enrich, purchase, or collect additional end-user information.
Data residency
All customer data is stored in the United States. The web tier and API run on Vercel's US regions, the primary application database is hosted by PlanetScale in the US, and encrypted credential material and pass assets are stored in a single AWS US region.
Retention
| Data | Retention |
|---|---|
| Account data (organization, users, billing) | Retained for the life of the account; deleted within 30 days of account closure. |
| Templates and issued passes | Customer-controlled. Deleted immediately on request via the dashboard or API. |
| API request logs | 30 days, then purged. |
| Webhook delivery logs | 30 days, then purged. |
| Authentication & security audit events | 365 days. |
| Encrypted database backups | 30 days. |
03
Credentials & certificates
The most sensitive material Passmint holds is your Apple PassKit signing certificate. Apple requires every pass to be signed with a certificate issued to your Apple Developer team, so the private key that signs on your behalf must be available to our issuing service at runtime. We treat that constraint with care.
How private keys are stored
When you upload a signed .cer from Apple, the corresponding private key (PKCS#8 PEM) is envelope-encrypted before it ever touches durable storage:
- A fresh 256-bit data encryption key (DEK) is generated in memory for the upload.
- The private key is encrypted with
AES-256-GCMusing that DEK (12-byte IV, 16-byte authentication tag). - The DEK is wrapped by our AWS KMS customer master key. The plaintext DEK is zeroed in memory immediately after wrapping.
- The encrypted private key and the KMS-wrapped DEK are persisted to the database. Neither value is useful without access to the KMS key.
The signer certificate (.cer) and Apple's WWDR intermediate are stored in S3. These are public certificates, not secrets.
Who can access them
No Passmint employee has standing access to customer private keys. kms:Decrypt on the customer master key is granted only to the IAM principals the pass-issuing service runs as. Decryption happens on demand during pass signing, in process memory; plaintext material is never written to logs or durable storage.
Rotation
You can generate a new CSR at any time from the dashboard, sign it in your Apple Developer account, and upload the new .cer to replace the existing certificate. Coordinated rotations (for example, scheduled cutovers or suspected key compromise) are currently support-assisted — email security@passmint.com and we'll help.
On account deletion
Encrypted key material and the corresponding KMS-wrapped DEKs are hard-deleted within 30 days of account closure. After that window the material is unrecoverable, including by Passmint.
04
Encryption
All customer data is encrypted at rest and in transit. Signing credentials receive an additional envelope-encryption layer above the storage-level encryption.
- At rest
- AES-256 at the storage layer for PlanetScale (database) and AWS S3 (pass assets). Encrypted database backups inherit the same encryption.
- In transit
TLS 1.2minimum;TLS 1.3negotiated where supported. Modern AEAD cipher suites only (AES-GCM, ChaCha20-Poly1305). HSTS enabled onpassmint.comandapi.passmint.com.- Credentials
- Envelope encryption:
AES-256-GCMwith per-secret DEKs wrapped by AWS KMS. See Credentials & certificates. - Webhook signing
HMAC-SHA256over{timestamp}.{body}using a per-endpoint 192-bit secret. Verified with a 5-minute replay tolerance.- API key storage
- Keys are hashed with
SHA-256before persistence. The plaintext key is shown once at creation and never stored. - Key management
- A single AWS KMS customer master key in one US region wraps all per-secret DEKs. KMS decrypt permissions are restricted to the pass-issuing service's runtime IAM principals.
05
Infrastructure
Passmint runs on managed infrastructure from Vercel, AWS, and PlanetScale. We do not operate our own servers.
- Web & API hosting
- Vercel (US regions). Functions run on Fluid Compute with standard Node.js runtimes.
- Application database
- PlanetScale (US region). TLS-only. No public ingress — connections use PlanetScale-managed endpoints authenticated with per-environment credentials.
- Object storage
- AWS S3 (US region). Per-organization prefixes; access restricted to the issuing service's IAM principals.
- Key management
- AWS KMS customer master key in a single US region.
- DDoS & WAF
- Vercel platform-level DDoS mitigation and WAF protect all customer-facing endpoints.
- Secrets
- Environment-scoped secrets in Vercel; provider secrets (AWS, PlanetScale, Stripe, Resend) are issued per environment and rotated on departure of any engineer with access.
06
Access control (internal)
Passmint is a small team. We keep the surface area of production access correspondingly small.
- All employee access to production systems — Vercel, AWS, PlanetScale, Stripe, Resend, email, source control — is behind SSO with MFA required.
- Production database access is restricted to engineering staff with an operational need. Application code accesses the database through environment-scoped credentials, not through personal accounts.
- Provider-native audit logs (Vercel, AWS CloudTrail, PlanetScale audit log) record console and API access to production resources.
- Access is revoked on offboarding as part of a documented checklist; provider credentials tied to the departing engineer are rotated.
07
Application security
The Passmint API is a small, opinionated surface. These are the guarantees we make today, and the ones we explicitly do not yet make.
- API authentication
- Bearer API keys with mode prefixes —
pmk_test_…andpmk_live_…. Test and live data are separated at the middleware layer. Keys areSHA-256-hashed at rest; the plaintext is returned once at creation. Keys are revocable and support expiry timestamps. - Scoped permissions
- All keys today have full access within their organization. Scoped API tokens are on the roadmap; flag interest to us if this blocks you.
- Webhook signatures
- Every delivery is signed with
HMAC-SHA256and sent in apassmint-signatureheader of the formt=…,v1=…. We recommend verifying the signature and rejecting timestamps older than five minutes. - Delivery retries
- Failed webhook deliveries are retried with exponential backoff over roughly 24 hours (up to 7 attempts) before being marked dead. Each attempt has a 10-second timeout.
- Input validation
- Pass fields are validated server-side against the template schema. Asset uploads are size-limited and content-type checked before being written to S3.
- Rate limiting
- Platform-level rate limits and abuse protections are provided by Vercel today. Per-tenant application rate limits are on the roadmap.
- Dependencies
- TODO — confirm dependency scanning setup (Dependabot, pnpm audit in CI, SAST tooling).
08
Availability & reliability
Pass issuance is a real-time user-facing surface — a pass that fails to install is visible to your end user immediately — so availability is a first-class concern.
- Status page
- status.passmint.com
- Uptime target
- TODO — commit to a public SLA (e.g. 99.9% monthly).
- Backups
- PlanetScale's managed backup and point-in-time restore applies to the primary application database. Encrypted credential material is backed up as part of the database. Retention: 30 days.
- Restore testing
- TODO — document cadence of restore drills.
- Incident communication
- Incidents affecting customer data or availability are posted to the status page. For incidents that involve customer personal data, affected customers will be notified via the registered account-owner email within 72 hours of confirmation.
09
Compliance & attestations
We believe the honest version of this section is more useful than the aspirational one.
Passmint does not currently hold SOC 2, ISO 27001, or PCI attestations. We operate to a SOC 2–aligned control set internally and will pursue formal audit as customer demand justifies the investment. If a prospective customer's procurement process requires a specific attestation, tell us — that is the signal that moves this up the roadmap.
GDPR
Passmint acts as a data processor for the pass-holder data you submit and as a controller for your account data. A DPA is available on request at security@passmint.com. Our Privacy Policy describes how we process personal data. See the subprocessor list below; material changes will be announced here before they take effect.
Penetration testing
TODO — no external penetration test has been performed yet. Replace this paragraph once a test has been commissioned and a summary is available on request.
10
Subprocessors
The third parties below process customer data on our behalf. Material additions will be announced on this page before they take effect.
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| Vercel | Web and API hosting, edge compute, product analytics | Customer request/response data, aggregated usage analytics | US |
| PlanetScale | Primary application database | Account data, templates, passes, request and webhook logs | US |
| AWS | Key management (KMS) and object storage (S3) | KMS-wrapped DEKs, encrypted signing keys, pass assets | US |
| Stripe | Billing and payment processing | Customer billing contact; payment methods processed directly by Stripe and never stored by Passmint | US / Global |
| Resend | Transactional email delivery | Customer email addresses and email content | US |
| Apple | Apple Wallet pass distribution | Pass payloads and push registrations required by the PassKit protocol | Global |
| Google Wallet pass distribution | Pass payloads and issuance metadata required by Google Wallet | Global |
11
Vulnerability disclosure
We welcome reports from security researchers. The fastest path to a fix is a clear report sent to the address below.
- Contact
- security@passmint.com
- First response
- Within 2 business days.
- What to include
- Clear reproduction steps, affected endpoints or artifacts, and the earliest time we can contact you for follow-up.
- Bug bounty
- No formal program today. We recognize significant reports case-by-case.
Safe harbor
Passmint will not pursue legal action against researchers who act in good faith, give us a reasonable window to remediate before public disclosure, avoid privacy violations and service disruption, and do not access or modify customer data beyond the minimum needed to demonstrate the issue.
12
Contact
The right address depends on what you're asking about.
- Security questions
- security@passmint.com
- Privacy requests
- privacy@passmint.com
- Enterprise prospects
- Email security@passmint.com to request the DPA, subprocessor list, and our responses to common security questionnaires.