Skip to main content
This page summarizes the security topics customers ask about most often and where to find or request details.

What Rollout already enforces

  • Server‑side token minting: your Client Secret never touches the browser.
  • Signed webhooks: verify events with X-Rollout-Signature (HMAC SHA256).
  • Credential scoping: API requests are scoped to the credentialId you provide.

Data handling expectations

  • Rollout acts as a processor for your users’ connected accounts.
  • You control which systems are connected and which credentials are active.
  • You decide how data is stored and used on your side (API calls, webhooks, or Sync to DB).

Enterprise security artifacts (available on request)

If you need any of the following for procurement or security review, contact support:
  • Security questionnaire responses
  • Data retention and deletion policy
  • Incident response process
  • Compliance documentation (e.g., SOC reports)
  • DPA or custom legal terms
  • Subprocessor list updates
  • Validate webhook signatures on every request.
  • Rotate credentials if you suspect exposure.
  • Treat Rollout‑synced database tables as read‑only (Sync to DB).

Next steps

  • Read the Security page in this section.
  • Review Privacy Policy and Data Subprocessors.
  • Contact support if you need formal security documentation.