Security & Compliance

OilPriceAPI is built with enterprise security requirements in mind. This guide covers our security practices, compliance certifications, and best practices for secure integration.

Infrastructure Security

Data Centers

  • Provider: DigitalOcean App Platform (SOC 2 Type II certified)
  • Regions: Primary in NYC, with edge caching globally via Cloudflare
  • Redundancy: Multi-zone deployment with automatic failover
  • Backups: Daily automated backups with 30-day retention

Network Security

  • TLS 1.3: All API traffic encrypted in transit
  • HTTPS Only: HTTP requests automatically redirected to HTTPS
  • DDoS Protection: Cloudflare enterprise-grade DDoS mitigation
  • Rate Limiting: Per-key rate limits to prevent abuse

Data at Rest

  • Database Encryption: PostgreSQL with AES-256 encryption
  • Key Management: Encrypted API keys using industry-standard hashing
  • Audit Logs: Complete request logging for security analysis

API Security

Authentication

All API requests require authentication via API key:

Authorization: Token YOUR_API_KEY

API Key Best Practices:

  1. Never expose keys client-side - Use server-side proxies
  2. Use environment variables - Never hardcode keys in source
  3. Rotate keys regularly - Generate new keys periodically
  4. Use separate keys per environment - Development vs production
  5. Monitor key usage - Check dashboard for unusual activity

Rate Limiting

Rate limits protect against abuse and ensure fair usage:

PlanMonthly LimitPer-Minute Limit
Trial10,00060
Hobby10,00060
Starter50,000100
Professional100,000200
Business200,000500
EnterpriseCustomCustom

IP Allowlisting (Enterprise)

Enterprise customers can restrict API access to specific IP ranges:

Contact [email protected] to configure IP allowlisting

Data Privacy

Data Collection

OilPriceAPI collects minimal data necessary for service operation:

  • Request logs: IP address, endpoint, timestamp, response time
  • Account data: Email, API keys, billing information
  • Usage data: Request counts, error rates, popular endpoints

Data Retention

Data TypeRetention Period
Request logs90 days
Account dataDuration of account + 30 days
Billing records7 years (legal requirement)
Price dataIndefinite (core product)

GDPR Compliance

For EU customers, we comply with GDPR requirements:

  • Data Subject Rights: Request data export or deletion via support
  • Data Processing Agreement: Available for enterprise customers
  • EU Data Residency: Available on Enterprise plans
  • Privacy Policy: oilpriceapi.com/privacy

CCPA Compliance

For California residents:

  • Do Not Sell: We do not sell personal information
  • Data Access: Request your data via [email protected]
  • Deletion: Request account deletion at any time

Compliance Certifications

Current Certifications

CertificationStatusNotes
SOC 2 Type IIVia InfrastructureDigitalOcean certified
ISO 27001Via InfrastructureDigitalOcean certified
GDPRCompliantData processing controls
CCPACompliantCalifornia privacy rights
PCI DSSCompliantVia Stripe for payments

Audit Reports

Enterprise customers can request:

  • SOC 2 Type II reports (via DigitalOcean)
  • Penetration test results (annual)
  • Security questionnaire responses

Contact [email protected] for access.

Secure Integration Checklist

# Good: Server-side with environment variable
import os
from oilpriceapi import OilPriceAPI

client = OilPriceAPI(api_key=os.environ['OILPRICEAPI_KEY'])
price = client.prices.get("WTI_USD")

Proxy Pattern for Frontend

Never expose API keys in client-side code. Use a backend proxy:

// Backend API route (Next.js example)
// app/api/prices/route.ts
import { NextResponse } from 'next/server';
import { OilPriceAPI } from 'oilpriceapi';

const client = new OilPriceAPI({
  apiKey: process.env.OILPRICEAPI_KEY!
});

export async function GET() {
  const prices = await client.getLatestPrices();
  return NextResponse.json(prices);
}

// Frontend - calls your backend, not OilPriceAPI directly
const prices = await fetch('/api/prices').then(r => r.json());

Webhook Security

When using price alerts with webhooks:

  1. Use HTTPS - Webhook URLs must use HTTPS
  2. Verify signatures - Validate webhook payloads (coming soon)
  3. Implement idempotency - Handle duplicate deliveries gracefully
  4. Set timeouts - Respond within 30 seconds

Incident Response

Security Incident Reporting

Report security vulnerabilities to: [email protected]

We follow responsible disclosure:

  • Acknowledge receipt within 24 hours
  • Provide status updates within 72 hours
  • Credit researchers in our security acknowledgments

Status Page

Monitor service health: status.oilpriceapi.com

Subscribe to incident notifications via:

  • Email alerts
  • RSS feed
  • Slack integration (Enterprise)

Enterprise Security Features

Available on Enterprise plans:

FeatureDescription
SSO/SAMLSingle sign-on integration
IP AllowlistingRestrict API access by IP
Custom SLA99.99% uptime guarantee
Dedicated SupportDirect engineering access
Audit LogsDetailed access logging
EU Data ResidencyData stored in EU regions
Custom DPATailored data processing agreement

Contact [email protected] for details.

Security FAQ

How are API keys stored?

API keys are hashed using bcrypt before storage. We never store plaintext keys after initial generation.

Can I rotate my API key?

Yes. Generate a new key in your dashboard, update your applications, then revoke the old key.

What happens if my key is compromised?

  1. Immediately revoke the key in your dashboard
  2. Generate a new key
  3. Update all applications
  4. Review usage logs for unauthorized access
  5. Contact support if you notice suspicious activity

Do you share data with third parties?

We do not sell or share customer data. Third-party services we use:

  • Stripe (payments)
  • Postmark (transactional email)
  • Sentry (error monitoring)

All third parties are bound by data processing agreements.

How do I request my data?

Email [email protected] with "Data Export Request" in the subject line. We'll provide your data within 30 days.

Contact

Last Updated: