Security
Security posture
Carrier moves real telecom infrastructure. Security is not a checkbox — it is the architecture.
Last updated: 2026-05-11
This is a v1 draft — review by counsel pending. SOC 2 certification is in progress; we do not claim certification until it is achieved.
Architecture
Infrastructure
- —Cloudflare Workers + Durable Objects — no persistent servers, no open ports
- —Edge-native: traffic never touches a VPS or shared compute
- —Cloudflare WAF + DDoS mitigation on all ingress
- —TLS 1.3 enforced on all endpoints; HTTP Strict Transport Security (HSTS)
Authentication
- —OAuth 2.1 + PKCE for user-facing auth flows
- —Argon2id password hashing (where passwords are used)
- —No shared credentials between tenants — per-user token vault pattern
- —Short-lived session tokens; refresh token rotation on use
Token vault
- —eSIMVault API tokens stored encrypted in Cloudflare KV (AES-GCM 256-bit)
- —Encryption keys managed via Cloudflare Workers Secrets — never in source code
- —Carrier staff cannot read your plaintext token
- —Tokens transmitted in transit over TLS only; never logged
Observability
- —Sentry for error tracking — stack traces scrubbed of PII before capture
- —Tool invocation audit logs in Workers Analytics Engine (31-day retention)
- —Anomaly alerting on error rate spikes and unusual call patterns
- —Structured JSON logs — no free-form strings that leak credentials
Compliance
| Standard | Status | Notes |
|---|---|---|
| GSMA SGP.02 / RSP | Compliant | Remote SIM Provisioning specification |
| GSMA SM-DP+ | Compliant | Subscription Manager Data Preparation |
| SOC 2 Type II | In progress | Target: Q4 2026 |
| GDPR | Compliant | See Privacy Policy + DPA |
| CCPA | Compliant | See Privacy Policy |
Vulnerability disclosure
Found something? Email security@carrier.llc PGP key not required for v1.
Please include a description of the vulnerability, steps to reproduce, potential impact, and any suggested mitigations. We will acknowledge your report within 48 hours and keep you updated on progress.
Bug bounty
No formal bounty program for v1. Email us — we will do right by you. Researchers who responsibly disclose critical vulnerabilities will be acknowledged publicly (with consent) and compensated at our discretion.
Responsible disclosure guidelines
- —Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.
- —Do not perform denial-of-service attacks or disrupt live traffic.
- —Give us reasonable time (90 days) to remediate before public disclosure.
- —Do not socially engineer Carrier staff.
Researchers acting in good faith under these guidelines will not be subject to legal action by Carrier.