Status

Live operational truth for deny.sh. The API health endpoint is pinged from your browser so this page reflects right-now status, not a cached read. A formal status page with multi-region uptime tracking and historical incident records is on the post-launch roadmap.

// live

Service health

Pinged client-side against /api/health each time you load this page.

API gateway Checking...

Database Checking...

Last checked —

For programmatic checks, hit /api/health directly. Returns {"status":"ok","db":"ok"} when healthy. The endpoint is public, unauthenticated, and minimal by design (no version fingerprinting, no PM2 metadata, no uptime numbers).

// posture

Certifications + posture

Cyber Essentials Certified, expires 15 May 2027 (344 days)

UK GDPR data controller Registered, policy + DPA live

SOC 2 Type II Roadmap, post-launch funding window

ISO 27001:2022 Roadmap, parallel track

Independent cryptographic audit Roadmap, post-launch funding window

Penetration test Roadmap, alongside crypto audit

Full context: /compliance · /trust.

// subprocessors

Subprocessors and data regions

Vendors that process customer data on our behalf, where they sit, and what they handle. International transfer mechanism is detailed at /privacy#international-transfers.

Subprocessor	Role	Region
DigitalOcean	Production droplet, application hosting and storage	London (LON1)
Stripe	Payment processing, billing, invoicing	United States (Stripe Inc.) with UK / EU presence
Resend	Transactional email delivery (alerts, receipts, magic links)	United States (AWS-hosted)
Cloudflare	DNS only (no traffic proxying, no edge caching of customer data)	Global anycast
Amazon Web Services	BYOK envelope encryption (customer-opt-in only) and Secrets Manager custodian (customer-opt-in only). No deny.sh-owned AWS account holds customer data.	Customer-elected AWS region
BlockMark Registry / IASME Consortium	Cyber Essentials certificate issuance and registry (no customer data)	United Kingdom

Subprocessor change notification today: any addition or change is announced in the changelog and on this page within seven calendar days. A formal RSS / email subscription for subprocessor changes is on the post-launch roadmap.

// incidents

Last incident

NONE PUBLICLY RECORDED

deny.sh launches Saturday 4 July 2026 at 08:00 BST. Pre-launch operational events are not in scope for public incident disclosure. Post-launch incidents will be recorded here with timeline, scope, customer impact, root cause, and remediation. Security findings reported via /disclosure are handled separately under coordinated disclosure.

// honest framing

What this page is not

This is a lightweight ops page, not a full status service. It does not currently provide multi-region uptime tracking, per-component status (encrypt, restore, inheritance, audit, BYOK, SAML), historical SLA numbers, scheduled-maintenance windows, or an RSS / webhook subscription for status changes. All of that is on the post-launch roadmap. The honest position today is: the service is reachable, the health endpoint says so, and we have no outage to report. If you need more than that, tell us what your procurement team requires.