Security & trust

We hold the keys to your sites. Here’s how we keep them safe.

PowerSEC is built for the unglamorous reality of running other people’s WordPress sites: signed actions, scoped keys, encrypted secrets, and backups you can actually restore.

Signed, auditable remote actions

Every action PowerSEC sends to a connected site is HMAC-signed with a per-site key. Requests carry a timestamp and a one-time nonce, and are rejected outside a short validity window — so a captured request can’t be replayed. Each action is recorded in the site’s audit log.

Scoped, per-site credentials

Sites authenticate with their own keys, separated by scope: a telemetry key for read/report traffic and a remote key for privileged actions. Compromising one site’s key never grants access to another, and keys can be rotated or revoked from Central.

Encrypted secrets & transport

All traffic between your sites, the dashboard, and Central runs over TLS. Sensitive values (API keys, integration secrets) are encrypted at rest, not stored in plaintext.

Verified, recoverable backups

Backups travel over encrypted (TLS) connections and are kept in secure cloud storage. Each transfer is integrity-signed, and backups are restore-tested rather than assumed good — downloaded only through short-lived, signed URLs, never from a public, guessable location.

Least-privilege access

Dashboard access is JWT-based with role separation (owner, team, support, admin). Plan and feature gates are enforced on the server, not just hidden in the UI, so the API is the source of truth for who can do what.

Responsible disclosure

Found a vulnerability? We want to hear about it. Email security@powersec.io and we’ll acknowledge and work with you on a fix. We don’t pursue good-faith researchers who follow responsible disclosure.

How it works

The lifecycle of a signed action.

Every request between a site and Central runs the same gauntlet — sign, verify, authorize, audit — and every new request starts the loop over.

Scoped key

The site holds its own telemetry and remote keys — scoped, rotatable, and revocable from Central.

Sign over TLS

Each request is HMAC-signed over its timestamp, one-time nonce, method, path, and body hash — sent only over TLS.

Verify

Central checks the signature with a constant-time compare, a short timestamp window, and a one-time nonce — so a captured request can’t be replayed.

Authorize

JWT roles (owner, team, support, admin) plus server-side plan and feature gates decide what the caller may do.

Execute & audit

The action runs and is written to the site’s audit log — every privileged change leaves a receipt.

Recover

Encrypted, restore-tested backups are pulled only through short-lived, signed URLs — never a public, guessable location.

Site ↔ Central traffic is HMAC-signed; dashboard ↔ Central traffic is JWT-authenticated — both authorized server-side, where the API is the source of truth.

Where your data lives

The PowerSEC dashboard and API run on managed cloud infrastructure with TLS everywhere — connections between your sites and Central are required to be encrypted (HTTPS). Backups and uploaded files are kept in secure cloud storage and accessed only through short-lived signed URLs. We store the minimum we need to monitor and protect your fleet — security findings, backup metadata, and the settings you configure.

We do not sell your data. See our Privacy Policy and Terms for how data is handled, retained, and deleted.

Report a security issue

Responsible disclosure is welcome. We respond to every report.

security@powersec.io

Hacked? Talk to us