Your code, credentials, and data are protected at every layer. Here's exactly what we do — and don't do.
🔒
HTTPS everywhere
All traffic encrypted via TLS 1.3. No plain-text connections, ever.
🛡
Row Level Security
Every Supabase table enforces RLS. Your data is isolated and inaccessible to other accounts.
🔑
Encrypted secrets
API keys stored encrypted at rest. Never logged, never surfaced in any interface.
🚫
No training on your data
Your prompts, code, and projects are never used to train AI models. Full stop.
⚡
Supabase Auth
Battle-tested authentication. Email verification, secure password hashing, session management.
🔍
Automatic security scan
Every deployment scanned for exposed keys, open endpoints, and missing auth before going live.
◎
Isolated workspaces
Each project is logically separated. No cross-account data access is possible.
↻
Continuous monitoring
Platform activity monitored for anomalous behavior and abuse in real time.
💳
Dodo Payments — PCI DSS
All payments processed by Dodo Payments. We never touch or store card numbers. PCI DSS compliant checkout.
🛰
Single Sign-On
SAML and OIDC SSO for Enterprise orgs, so access follows your identity provider — not a separate password.
👥
Org roles & permissions
Owner, admin, member, and viewer roles enforce who can deploy, invite, or manage settings at the org level.
📋
Audit logs
Every org-level action — invites, role changes, project deploys — is logged with who, what, and when.
RLS Trust Scanner
Most app builders generate database access rules and hope they're right. We scan every project's live database the same way an attacker would — using the public anon key — and flag tables that are readable or writable without proper Row Level Security, before you ship. It's built into every project's Security tab, not a one-time audit you have to remember to run.