Security & trust

We hold the keys to your sites. Here’s how we keep them safe.

PowerSEC is built for the unglamorous reality of running other people’s WordPress sites: signed actions, scoped keys, encrypted transport, and backups you can actually restore.

Signed, auditable remote actions

Every action PowerSEC sends to a connected site is HMAC-signed with a per-site key. Requests carry a timestamp and a one-time nonce, and are rejected outside a short validity window — so a captured request can’t be replayed. Each action is recorded in the site’s audit log.

Scoped, per-site credentials

Sites authenticate with their own keys, separated by scope: a telemetry key for read/report traffic and a remote key for privileged actions. Compromising one site’s key never grants access to another, and keys can be rotated or revoked from Central.

Secure transport & scoped keys

All traffic between your sites, the dashboard, and Central runs over TLS. Per-site keys are scoped, rotatable, and revocable from Central; billing and third-party integration tokens are encrypted at rest.

Verified, recoverable backups

Backups travel over encrypted (TLS) connections and are kept in secure cloud storage, encrypted at rest by the provider. Each upload is SHA-256-verified and re-checked for integrity in storage — downloaded only through short-lived, signed URLs, never from a public, guessable location.

Least-privilege access

Dashboard access is JWT-based with role separation (owner, team, support, admin). Plan and feature gates are enforced on the server, not just hidden in the UI, so the API is the source of truth for who can do what.

Responsible disclosure

Found a vulnerability? We want to hear about it. Email security@powersec.io and we’ll acknowledge and work with you on a fix. We don’t pursue good-faith researchers who follow responsible disclosure.

How it works

The lifecycle of a signed action.

Every request between a site and Central runs the same gauntlet — sign, verify, authorize, audit — and every new request starts the loop over.

Scoped key

The site holds its own telemetry and remote keys — scoped, rotatable, and revocable from Central.

Sign over TLS

Each request is HMAC-signed over its timestamp, one-time nonce, method, path, and body hash — sent only over TLS.

Verify

Central checks the signature with a constant-time compare, a short timestamp window, and a one-time nonce — so a captured request can’t be replayed.

Authorize

JWT roles (owner, team, support, admin) plus server-side plan and feature gates decide what the caller may do.

Execute & audit

The action runs and is written to the site’s audit log — every privileged change leaves a receipt.

Recover

Integrity-verified backups are pulled only through short-lived, signed URLs — never a public, guessable location.

Site ↔ Central traffic is HMAC-signed; dashboard ↔ Central traffic is JWT-authenticated — both authorized server-side, where the API is the source of truth.

Where your data lives

The PowerSEC dashboard and API run on managed cloud infrastructure with TLS everywhere — connections between your sites and Central are required to be encrypted (HTTPS). Backups and uploaded files are kept in secure cloud storage and accessed only through short-lived signed URLs. We store the minimum we need to monitor and protect your fleet — security findings, backup metadata, and the settings you configure.

We do not sell your data. See our Privacy Policy and Terms for how data is handled, retained, and deleted.

Report a security issue

Responsible disclosure is welcome. Email security@powersec.io — we aim to acknowledge reports within 3 business days and will keep you updated on the fix. We won’t pursue good-faith researchers who follow responsible disclosure and avoid privacy violations, data destruction, or service disruption. See security.txt.

security@powersec.io
Hacked? Talk to us