Security

Hardened by design. Yours, by default.

The same security model whether you self-host or run Cuitty Cloud. Every layer is auditable, every payload is signed, every permission check runs through SpiceDB.

Security pillars

Authn

BetterAuth at the front door

Every identity flow — sessions, API keys, OAuth, SAML, OIDC — routes through BetterAuth. The user table lives on your Postgres, not ours. MFA is supported out of the box with TOTP and WebAuthn.

How it works
  • Session tokens: HTTP-only, Secure, SameSite=Strict cookies
  • API keys scoped to project + tenant with configurable expiry
  • Self-hosted user table on your own Postgres instance
  • MFA support via TOTP (authenticator apps) and WebAuthn (passkeys, hardware keys)
Authz

SpiceDB / Zanzibar for permissions

Every read and every write is a permissions check against SpiceDB, Google's Zanzibar-inspired authorization system. The schema lives in your repo; the relations live in your tenant. Supports RBAC, ABAC, and resource-level permissions.

How it works
  • Model: subject → relation → resource (e.g., user:alice#viewer@repo:acme)
  • Schema versioned alongside application code in your repository
  • Per-tenant relation tuples for complete data isolation
  • Supports RBAC roles, ABAC attributes, and fine-grained resource permissions
definition user {}

definition project {
  relation owner: user
  relation editor: user
  relation viewer: user

  permission admin = owner
  permission write = editor + owner
  permission read  = viewer + write
}

definition repo {
  relation parent: project
  relation maintainer: user

  permission push  = maintainer + parent->write
  permission view  = parent->read
}
Integrity

HMAC-SHA256 on every event

Every payload entering Cuitty is signed with a per-project webhook secret using HMAC-SHA256. The signature is verified at the edge before the event reaches any persistence layer. Replay attacks are mitigated with a nonce and a 5-minute timestamp window.

How it works
  • Per-project webhook secret used for HMAC-SHA256 signing
  • Edge verification before any persistence or module processing
  • Replay protection: nonce + 5-minute timestamp window
  • Signatures stored alongside payloads for offline verification and forensics
Audit

Tamper-evident audit chain

Every admin action produces an audit entry containing the actor, action, resource, timestamp, a SHA-256 hash, and a pointer to the previous hash. The chain is cryptographically linked so any gap or mutation is detectable.

How it works
  • Fields: actor, action, resource, timestamp, hash, previous_hash
  • Cryptographically linked chain — any gap or mutation is detectable
  • Cloud: weekly Sigstore transparency log notarization
  • Self-hosted: cui audit verify CLI command for local chain verification
Secrets

Findings, never material

The secrets module ingests detector findings — file path, line number, detector name — not the secret values themselves. Retrieval is backed by 1Password CLI. Pilot-captured secrets are redacted before artifact persistence.

How it works
  • Ingests detector findings (file path, line, detector name), never raw values
  • Backed by 1Password CLI for secure retrieval when needed
  • Pilot-captured secrets redacted before artifact persistence
  • Regex-based redaction applied to all log, trace, and error payloads
Transport

TLS everywhere

TLS 1.2+ is enforced on every endpoint. Cloud certificates auto-renew via Let’s Encrypt. Self-hosted deployments can bring their own certs or use the bundled ACME client. All inter-service communication uses mTLS.

How it works
  • TLS 1.2+ enforced on every public and internal endpoint
  • Cloud: Let’s Encrypt with automatic certificate renewal
  • Self-hosted: bring-your-own certificates or bundled ACME client
  • mTLS between all Cuitty services; WebSocket endpoints are WSS-only

Product-by-product security model

Every Cuitty product inherits the six pillars above. This table highlights product-specific controls.

Product Auth Authz (SpiceDB) Encryption Audit
Code SSH keys, HTTPS tokens Repo/branch-level permissions At-rest (libSQL), in-transit (TLS) Every push, PR, merge, CI run
Persist API keys, session tokens Database/collection-level ACLs AES-256 at rest, TLS in transit Schema changes, migrations, backup events
Architect Session tokens, CLI keys Project/environment permissions TLS for all API calls Every deployment, config change, rollback
Observe SDK keys, session tokens Module-level read/write permissions TLS ingest, AES-256 at rest per module DB Ingest events, dashboard access, alert changes
Video Session tokens, upload keys Project-scoped upload/view permissions TLS upload, encrypted storage Upload, transcode, access, deletion events
Pilot Session tokens, agent keys Workflow/environment permissions TLS, secrets redacted before persist Every agent run, tool call, approval event
Tests CI tokens, session tokens Suite/project-level permissions TLS for results, at-rest for artifacts Test runs, flake detection, coverage changes
Toolbar Session tokens (WSS) Workspace-scoped permissions WSS-only (TLS WebSocket) Connection events, command invocations

Data flow

How data moves through Cuitty at every stage, from rest to transit to key management.

Data at rest

All data is stored in libSQL databases with AES-256 encryption. Each tenant gets its own isolated database. Self-hosted customers control the encryption keys directly; Cloud customers can use BYOK on the Enterprise tier.

Data in transit

TLS 1.2+ on every HTTP endpoint. WebSocket connections (Toolbar, live events) use WSS exclusively. Internal service-to-service communication is secured with mutual TLS (mTLS), with certificates rotated automatically.

Event pipeline

Event → HMAC sign → edge verify → module ingest → persist. Every event is signed at the source, verified at the edge before it reaches any module, and the signature is stored alongside the payload for later verification.

Key management

Per-project webhook secrets are generated on project creation and rotatable via the API or CLI at any time. Rotation is zero-downtime: both the old and new key are valid during a configurable grace period. BYOK is available on the Enterprise tier for full custody of encryption keys.

Compliance posture

Current status across Cloud and self-hosted deployments.

Standard Cloud Self-Hosted Details
SOC 2 Type II In progress N/A (your controls) Targeting Q3 2026 certification for Cloud
GDPR DPA available Full control Data processing agreement on request; EU data residency option
HIPAA Planned (2027) Customer responsibility BAA available on Enterprise tier upon certification
Data residency US, EU, AP 100% your choice Cloud regions: us-east, eu-west, ap-southeast
BYOK Enterprise tier Default (your keys) Bring your own encryption keys for all data at rest
Air-gap N/A Offline tarball Fully offline installation with no external network calls
Vulnerability scanning Continuous Bundled scanner Socket Firewall + Trivy container scanning on every build
Penetration testing Annual (Q3 2026) Customer-led Third-party pen test; report available under NDA
Completed
  • HMAC-SHA256 payload signing
  • SpiceDB authorization (Zanzibar)
  • BetterAuth authentication
  • Tamper-evident audit chain
  • TLS 1.2+ on all endpoints
  • mTLS between services
In progress
  • SOC 2 Type II certification (Q3 2026)
  • Third-party penetration test report (Q3 2026)
Planned
  • HIPAA BAA (2027)
  • ISO 27001 (2027)

Operational security

Security is not just the product. It is how we build, ship, and respond.

Dependency management

Every install routes through Socket Firewall (sfw). Dependencies are pinned to exact versions with stability days enforced. Renovate auto-updates are gated on security review for sensitive packages.

Build pipeline

Reproducible builds with locked dependencies. SBOM generated for every release. Signed container images published to a private registry. CI runs Socket, Trivy, and type-checking on every commit.

Incident response

48-hour acknowledgment SLA for all security reports. Dedicated incident response runbook. Post-incident reviews published to affected customers. Contact: [email protected].

Employee access

Least-privilege access for all employees. No standing admin access to production systems. Every access event is audit-logged. Production access requires approval and is time-boxed.

Responsible disclosure

In scope
  • All 8 Cuitty products (Code, Persist, Architect, Observe, Video, Pilot, Tests, Toolbar)
  • cuitty.com and all subdomains
  • Cloud infrastructure and APIs
Out of scope
  • Third-party services and integrations
  • Social engineering attacks
  • Denial-of-service (DoS/DDoS) attacks

Process
  1. Email your report to [email protected]
  2. Receive acknowledgment within 48 hours
  3. We target a fix within 90 days of confirmation
  4. Public disclosure + credit after the fix ships
Safe harbor

We will not pursue legal action against researchers acting in good faith. If you follow responsible disclosure practices, you are safe. PGP key available at /security.txt.

Need a security review?

Download our security whitepaper, request a vendor questionnaire response, or schedule a call with our security team.