Security

How we protect your data and keys.

Your Keys, Your Control

  • API keys (LLM) — You add your own keys (Anthropic, OpenAI, DeepSeek, etc.) in Settings. Keys are encrypted at rest with AES-256-GCM. We never log them, expose them in API responses, or store them in plain text. No proxy: requests go from our backend to the provider using your key; you pay the provider directly and we do not mark up usage.
  • GitHub tokens (optional) — If you connect a repo for "commit and push", we store a personal access token encrypted. Used only to push the run's patch; scoped to the repo you specify.

Authentication

  • Sessions — Session-based auth with signed, time-limited cookies. No long-lived tokens in the browser beyond the session cookie.
  • Optional OAuth — Sign in with Google or GitHub when configured. We store only the identifier and email needed for the account; no access to your Google/GitHub data beyond what OAuth provides.
  • Passwords — Stored hashed (bcrypt or equivalent). We do not store or transmit plain-text passwords.

Data & Storage

  • Isolation — Metadata and artifacts are scoped by user and project. No cross-tenant or cross-user access. What you create is yours.
  • Artifacts — Run artifacts (problem statement, spec, feedback summary, budget ledger) are stored with integrity (e.g. checksums where applicable). Append-only where required for audit.
  • Infrastructure — Production: Vercel (hosting), Vercel KV or Upstash Redis (metadata), Vercel Blob (artifacts). All over HTTPS. No on-prem or unencrypted storage for sensitive data.

Application Security

  • Rate limiting — Auth and expensive API endpoints are rate-limited to reduce abuse and denial-of-service risk.
  • Security headers — Responses include standard hardening headers (e.g. X-Content-Type-Options, X-Frame-Options) where applicable.
  • Input validation — User input and file paths are validated to prevent injection and directory traversal. We do not execute arbitrary user code.

What We Don't Do

  • We do not proxy your LLM traffic through our own billing. You configure your keys; you pay the provider.
  • We do not log API keys or store them in plain text.
  • We do not sell or share your data with third parties for advertising. See our Privacy Policy for details.
Privacy PolicyLegal NoticeDocumentation← Home