OpenPartner
GitHub Sign in Get started
MarketplaceNetworkBrandsCreatorsPricingDocsBlog
Sign in GitHub
Security

Security built for partner data and payout workflows.

Partner program software touches attribution data, payout records, and customer-linked events. We design OpenPartner so brands can inspect the controls, understand the payout model, and choose hosted or self-hosted deployment based on their own risk posture.

What we do

Controls in place today.

Encryption in transit

TLS is used across the router, API, and portal. Stripe webhooks are verified before any payout or ledger side effects happen.

Encryption at rest

Sensitive credentials are encrypted before persistence so plaintext secrets do not flow back to the client or sit unprotected in storage.

Authentication and roles

Magic-link sign-in, scoped sessions, and explicit role checks protect both brand and partner surfaces of the product.

Immutable audit trail

Clicks, identities, conversions, commissions, and payouts are treated like ledger records so changes are traceable instead of quietly overwritten.

No fund custody

OpenPartner does not hold money. Brands pay partners through Stripe Connect, which keeps the payout model cleaner from both a trust and compliance perspective.

Open-source auditability

The core product is open source, which means customers and researchers can inspect how security-sensitive paths actually work.

Open-source as a security model

You can inspect the core instead of relying on a trust slide.

OpenPartner ships with an open-source core because security claims are easier to trust when the underlying implementation is inspectable. Teams that need even more control can self-host instead of routing sensitive partner data through a vendor-only black box.

Compliance roadmap

Where we are and where we are going.

OpenPartner is still early. We do not claim certifications we do not have, but the architecture is being shaped so hosted customers can move toward enterprise requirements without rewriting the core of the product later.

  • SOC 2 Type II: planned as the hosted product matures.
  • Data residency: US today, self-hosting available for teams that need stricter control now.
  • DPA support: available on request for hosted customers.
Vulnerability disclosure

Reporting a security issue.

If you believe you found a vulnerability, email [email protected] with the details and a clear path to reproduce it.

  • We will acknowledge good-faith reports within 2 business days.
  • We will keep reporters updated as we triage and fix issues.
  • We will credit researchers publicly if they want that recognition.

Have a security question?

We respond to security inquiries within two business days.

[email protected]