Loading live security status…
Private Key Never Leaves the Vault
PassThru uses Azure Key Vault's CryptographyClient for remote signing. The private key used to sign Apple Wallet passes is generated inside Key Vault and is never exported, downloaded, or transmitted outside of Key Vault.
- Your app builds the pass manifest and computes a SHA-256 hash
- The hash (32 bytes) is sent to Key Vault over TLS
- Key Vault signs it using the RSA-2048 private key inside HSM-backed storage
- Only the signature bytes come back — never the key
- The signed pass is assembled and delivered
Network Isolation
All backend services run inside an Azure Virtual Network with no public internet access:
| Resource | Public Access | How It's Accessed |
|---|---|---|
| API Gateway (APIM) | Yes (rate-limited) | HTTPS — only public entry point |
| Function App | No | APIM + CI/CD only (IP allowlist) |
| Cosmos DB | No | Private endpoint via VNet |
| Key Vault | No | Private endpoint via VNet |
7 Layers of Security
| Layer | Control |
|---|---|
| 1. Authentication | Firebase Auth + Google OIDC with Cloudflare Turnstile |
| 2. API Keys | SHA-256 hashed, 256-bit entropy, tenant-scoped |
| 3. Gateway | APIM validates JSON schemas, rate limits, adds security headers |
| 4. Function Keys | Azure platform-enforced auth on all management endpoints |
| 5. Network | VNet isolation, no public access to Function App |
| 6. Private Endpoints | Cosmos DB + Key Vault only reachable inside VNet |
| 7. Managed Identity | RBAC with least-privilege roles, zero credentials in code |
Encryption
| Purpose | Method |
|---|---|
| Data at rest | AES-256 (Azure-managed keys) |
| Data in transit | TLS 1.2+ |
| Pass signing | RSA-2048 + SHA-256 (PKCS#7) |
| API keys at rest | SHA-256 hashed (irreversible) |
| Key Vault storage | HSM-backed (FIPS 140-2 Level 2) |
| APNs push | Mutual TLS (client certificate) |
Automated Certificate Lifecycle
Signing certificates are automatically renewed before expiry:
- Timer checks cert expiry every 2 weeks
- CSR generated inside Key Vault (private key stays in vault)
- CSR submitted to Apple's App Store Connect API
- Signed cert merged back into Key Vault
No manual certificate handling. Fully automated and auditable.
Vulnerability Scanning
| Tool | Scope | Result |
|---|---|---|
| Semgrep | 246 rules, 46 source files | 0 findings |
| Gitleaks | Secret detection across all commits | 0 real findings |
| npm audit (backend) | All production dependencies | 0 vulnerabilities |
| npm audit (dashboard) | All production dependencies | 0 vulnerabilities |
CI/CD Security
- OIDC deployment — no stored Azure credentials in GitHub
- No secrets in code — enforced via Gitleaks scanning
- Automated builds — every push triggers build + deploy
Compliance
| Framework | Status |
|---|---|
| GDPR | Aligned — DPA available on request |
| CCPA | Below threshold — privacy policy in place |
| SOC 2 | Controls aligned — audit available on request |
| PCI DSS | Not applicable — no cardholder data stored |
Incident Response
In the event of a data breach, affected tenants will be notified within 72 hours. A post-incident report will be provided within 30 days.
Contact
For security inquiries or to report a vulnerability:
Marckoy Industries LLC
Email: support@passthru.dev