Built for energy infrastructure. Security is not optional.
Utility planners and enterprise teams evaluating Derapi have the same question: how is this data handled? We built a clear answer into every layer.
Auth model
API Key Authentication
Every request requires a Bearer token in the Authorization header. Keys are scoped per environment — sandbox keys cannot call production endpoints and vice versa.
TLS 1.2+ Everywhere
All API traffic is encrypted in transit using TLS 1.2 or higher. TLS 1.0 and 1.1 are not accepted. Connections that don't meet the minimum TLS version are rejected before any data is transferred.
Environment Isolation
Sandbox and production environments are fully isolated at the infrastructure level. Your sandbox API key cannot accidentally query production data or trigger production webhooks.
Key Rotation
API keys can be rotated at any time from your dashboard with zero downtime. Revoked keys stop working immediately. Production plans include audit logs of all key creation and rotation events.
What data we handle and how
No PII Required
Querying DER data through Derapi requires no personally identifiable information. Your requests include a ZIP code or utility territory — not customer identifiers or personal details.
Public + Licensed Sources
Grid data is sourced from public utility filings (FERC eLibrary, state PUC databases) and licensed data partners. No data is obtained through unauthorized means. Full data lineage is available to Production customers.
US-West Data Residency
All API infrastructure and data storage operates in US-West regions. No customer data is transferred to or processed in non-US data centers. Appropriate for utility buyers with data residency requirements.
Request Logging
API request metadata (timestamps, endpoint, response codes, latency) is retained for 90 days for all plans. Production plan customers receive full audit log export via the dashboard.
Designed with controls in mind
Our engineering practices are built with SOC 2 Type II controls in mind. We apply the Trust Service Criteria (Security, Availability, Confidentiality) to our infrastructure and development lifecycle. Formal SOC 2 Type II audit is on our 2026 roadmap.
Derapi is designed with CCPA-compliant data handling practices. California residents may submit requests to access or delete their account data. We do not sell personal information to third parties. Contact [email protected] for privacy rights requests.
Derapi does not process protected health information (PHI). HIPAA data is outside the scope of our platform. The grid and energy data we serve is not subject to HIPAA requirements.
Derapi is a read-only data API — we do not write to, control, or interact with Bulk Electric System assets. We are not a NERC CIP-regulated entity and are not classified as a BCS or EACMS. Utility IT and OT teams: Derapi operates in the IT/business network layer only.
We accept responsible vulnerability disclosures at [email protected]. We aim to acknowledge all reports within 48 hours and provide remediation timelines within 7 business days.
Questions about security or compliance?
Our team is happy to walk through our security posture with utility buyers and enterprise evaluators.