Security at SKYCOT
Every build is scanned for vulnerabilities. Your data is encrypted and protected by enterprise-grade infrastructure.
Built-in Security Scanning
Every build runs through 10+ automated security checks. Critical issues block deployment. You get an A-F security grade.
Hardcoded Secrets Detection
Scans for API keys, tokens, and passwords accidentally left in generated code.
SQL Injection Prevention
All database queries via Drizzle ORM — no raw SQL. Parameterized by default.
XSS Vulnerability Scanning
User content sanitized before render. Checks for unsafe innerHTML and unescaped outputs.
Input Validation Auditing
Verifies all API inputs are validated with Zod schemas. No untyped data accepted.
Auth Check Verification
Ensures protected routes have authentication middleware. No accidental public endpoints.
Dependency Vulnerability Scan
Checks npm packages against known vulnerability databases before deployment.
Infrastructure Security
Built on proven, enterprise-grade infrastructure.
Vercel Edge Network
Apps deployed to Vercel's global edge network with automatic HTTPS, DDoS protection, and 99.99% uptime SLA.
Supabase PostgreSQL
Data stored in Supabase-managed PostgreSQL with Row Level Security (RLS), automatic backups, and encryption at rest.
SOC 2 Compliance
SOC 2 Type II certification is on our roadmap. Our infrastructure providers (Vercel, Supabase) are already SOC 2 certified.
Data Residency
Supabase projects can be provisioned in your preferred region. Sydney (AU), US East, EU West, and more available.
Architecture & Data Flow
When you describe an app, your input is sent to Anthropic's Claude API for compilation and code generation. The generated code is stored in Supabase Storage, encrypted at rest. Builds execute on Trigger.dev managed infrastructure with isolated containers per build.
Your authentication data is handled by Supabase Auth — passwords are hashed with bcrypt and never stored in plaintext. OAuth tokens from Google/GitHub are stored by Supabase and rotated automatically.
Payment information is processed exclusively by Stripe. SKYCOT never has access to your full card number. Stripe handles PCI DSS compliance.
Compliance
- SOC 2 Type II — In progress. Our infrastructure providers (Vercel, Supabase, Stripe) are already SOC 2 certified. SKYCOT's own audit is targeted for H2 2026.
- GDPR Compliant — Data processing agreements in place with all subprocessors. EU data residency available via Supabase region selection.
- CAIQ — Consensus Assessments Initiative Questionnaire available upon request for enterprise customers.
Penetration Testing
SKYCOT commits to annual third-party penetration testing of our platform. A summary of our most recent pentest results is available to enterprise customers under NDA. Contact security@skycot.com to request access.
Responsible Disclosure
If you discover a security vulnerability in SKYCOT, we ask that you disclose it responsibly. Please email info@skycot.com with details of the vulnerability.
What we commit to:
- Acknowledge receipt within 48 hours
- Provide an estimated timeline for a fix
- Notify you when the vulnerability is resolved
- Credit you in our security changelog (if desired)
Credential Vault
Enterprise-grade credential management for third-party integrations.
Fully Managed
SKYCOT provisions and manages credentials automatically. Zero setup required — default for Starter and Pro plans.
Guided BYOK
Bring your own keys with OAuth popups and encrypted storage. Default for Business plans.
Direct Entry
Enter API keys directly with real-time validation against live service APIs. Default for Enterprise.
AES-256-GCM Encryption
Unique nonce per credential. Encryption key stored separately from the database.
90-Day Auto-Rotation
Managed credentials rotated automatically on a 90-day cycle using a dual-credential swap pattern.
12-Month Audit Trail
Immutable audit log covering every credential action: create, access, rotate, and revoke.
Per-Project Isolation
Credentials are scoped to individual projects. No cross-project access is possible.
Agent Safety & Guardrails
Built-in safety controls for AI agents generated by SKYCOT.
Input Validation
Reject malformed or off-topic inputs before they reach the model.
PII Detection
Scan inputs and outputs for sensitive data. Redact PII automatically.
Content Moderation
Block harmful or inappropriate content from entering or leaving the agent.
Spend Limiting
Per-request, per-session, and per-billing-period token caps enforced at the API layer.
Action Filtering
Restrict which tools and external APIs an agent is permitted to access.
Escalation Handlers
Route to human intervention automatically when confidence is low or anomalies are detected.
Have questions about our security practices?