Security

Your data is encrypted, isolated, and auditable. Here's how.

1. Network DDoS protection, automatic TLS, security headers
2. Authentication Signed sessions, automatic refresh, password hashing
3. Isolation Your data stays completely separate from other teams
4. Secret Scanning API keys and tokens are caught before they're stored
5. Encryption Everything encrypted at rest with keys unique to your team
6. Audit Trail Every action is recorded and tamper-evident

Encryption at rest

All artifacts are encrypted with AES-256-GCM using envelope encryption. Each team gets unique encryption keys derived from a root secret. If decryption fails, the system refuses to return data — it never falls back to plaintext.

Tenant isolation

Your data is separated at every layer: database row-level security, filesystem namespacing, and cryptographic isolation via per-tenant key derivation. One team's data is invisible to another.

Secret scanning

Every file that's stored, exported, or logged is scanned for API keys, tokens, and credentials. Matches are redacted automatically. This runs on every path — no exceptions.

Audit trail

Every test run, gate decision, and configuration change is recorded with a signed traceability envelope. Records are tamper-evident — if anything is modified after the fact, verification fails.

Questions about security? [email protected]