Status

Live operational truth for deny.sh. The API health endpoint is pinged from your browser so this page reflects right-now status, not a cached read. A formal status page with multi-region uptime tracking and historical incident records is on the post-launch roadmap.

// live

Service health

Pinged client-side against /api/health each time you load this page.

API gateway Checking...
Database Checking...
Last checked

For programmatic checks, hit /api/health directly. Returns {"status":"ok","db":"ok"} when healthy. The endpoint is public, unauthenticated, and minimal by design (no version fingerprinting, no PM2 metadata, no uptime numbers).

// posture

Certifications + posture

Cyber Essentials Certified, expires 15 May 2027 (344 days)
UK GDPR data controller Registered, policy + DPA live
SOC 2 Type II Roadmap, post-launch funding window
ISO 27001:2022 Roadmap, parallel track
Independent cryptographic audit Roadmap, post-launch funding window
Penetration test Roadmap, alongside crypto audit

Full context: /compliance · /trust.

// subprocessors

Subprocessors and data regions

Vendors that process customer data on our behalf, where they sit, and what they handle. International transfer mechanism is detailed at /privacy#international-transfers.

Subprocessor Role Region
DigitalOcean Production droplet, application hosting and storage London (LON1)
Stripe Payment processing, billing, invoicing United States (Stripe Inc.) with UK / EU presence
Resend Transactional email delivery (alerts, receipts, magic links) United States (AWS-hosted)
Cloudflare DNS only (no traffic proxying, no edge caching of customer data) Global anycast
Amazon Web Services BYOK envelope encryption (customer-opt-in only) and Secrets Manager custodian (customer-opt-in only). No deny.sh-owned AWS account holds customer data. Customer-elected AWS region
BlockMark Registry / IASME Consortium Cyber Essentials certificate issuance and registry (no customer data) United Kingdom

Subprocessor change notification today: any addition or change is announced on this page within seven calendar days. A formal RSS / email subscription for subprocessor changes is on the post-launch roadmap.

// incidents

Last incident

NONE PUBLICLY RECORDED

deny.sh opens its open beta Saturday 4 July 2026 at 08:00 BST. Pre-beta operational events are not in scope for public incident disclosure. Incidents from the open beta onward will be recorded here with timeline, scope, customer impact, root cause, and remediation. Security findings reported via /disclosure are handled separately under coordinated disclosure.

// honest framing

What this page is not

This is a lightweight ops page, not a full status service. It does not currently provide multi-region uptime tracking, per-component status (encrypt, restore, audit, BYOK, SAML), historical SLA numbers, scheduled-maintenance windows, or an RSS / webhook subscription for status changes. All of that is on the post-launch roadmap. The honest position today is: the service is reachable, the health endpoint says so, and we have no outage to report. If you need more than that, tell us what your procurement team requires.