Hardened by design. Yours, by default.
The same security model whether you self-host or run Cuitty Cloud. Every layer is auditable, every payload is signed, every permission check runs through SpiceDB.
Security pillars
BetterAuth at the front door
Every identity flow — sessions, API keys, OAuth, SAML, OIDC — routes through BetterAuth. The user table lives on your Postgres, not ours. MFA is supported out of the box with TOTP and WebAuthn.
- Session tokens: HTTP-only, Secure, SameSite=Strict cookies
- API keys scoped to project + tenant with configurable expiry
- Self-hosted user table on your own Postgres instance
- MFA support via TOTP (authenticator apps) and WebAuthn (passkeys, hardware keys)
SpiceDB / Zanzibar for permissions
Every read and every write is a permissions check against SpiceDB, Google's Zanzibar-inspired authorization system. The schema lives in your repo; the relations live in your tenant. Supports RBAC, ABAC, and resource-level permissions.
- Model: subject → relation → resource (e.g., user:alice#viewer@repo:acme)
- Schema versioned alongside application code in your repository
- Per-tenant relation tuples for complete data isolation
- Supports RBAC roles, ABAC attributes, and fine-grained resource permissions
definition user {}
definition project {
relation owner: user
relation editor: user
relation viewer: user
permission admin = owner
permission write = editor + owner
permission read = viewer + write
}
definition repo {
relation parent: project
relation maintainer: user
permission push = maintainer + parent->write
permission view = parent->read
} HMAC-SHA256 on every event
Every payload entering Cuitty is signed with a per-project webhook secret using HMAC-SHA256. The signature is verified at the edge before the event reaches any persistence layer. Replay attacks are mitigated with a nonce and a 5-minute timestamp window.
- Per-project webhook secret used for HMAC-SHA256 signing
- Edge verification before any persistence or module processing
- Replay protection: nonce + 5-minute timestamp window
- Signatures stored alongside payloads for offline verification and forensics
Tamper-evident audit chain
Every admin action produces an audit entry containing the actor, action, resource, timestamp, a SHA-256 hash, and a pointer to the previous hash. The chain is cryptographically linked so any gap or mutation is detectable.
- Fields: actor, action, resource, timestamp, hash, previous_hash
- Cryptographically linked chain — any gap or mutation is detectable
- Cloud: weekly Sigstore transparency log notarization
- Self-hosted: cui audit verify CLI command for local chain verification
Findings, never material
The secrets module ingests detector findings — file path, line number, detector name — not the secret values themselves. Retrieval is backed by 1Password CLI. Pilot-captured secrets are redacted before artifact persistence.
- Ingests detector findings (file path, line, detector name), never raw values
- Backed by 1Password CLI for secure retrieval when needed
- Pilot-captured secrets redacted before artifact persistence
- Regex-based redaction applied to all log, trace, and error payloads
TLS everywhere
TLS 1.2+ is enforced on every endpoint. Cloud certificates auto-renew via Let’s Encrypt. Self-hosted deployments can bring their own certs or use the bundled ACME client. All inter-service communication uses mTLS.
- TLS 1.2+ enforced on every public and internal endpoint
- Cloud: Let’s Encrypt with automatic certificate renewal
- Self-hosted: bring-your-own certificates or bundled ACME client
- mTLS between all Cuitty services; WebSocket endpoints are WSS-only
Product-by-product security model
Every Cuitty product inherits the six pillars above. This table highlights product-specific controls.
| Product | Auth | Authz (SpiceDB) | Encryption | Audit |
|---|---|---|---|---|
| Code | SSH keys, HTTPS tokens | Repo/branch-level permissions | At-rest (libSQL), in-transit (TLS) | Every push, PR, merge, CI run |
| Persist | API keys, session tokens | Database/collection-level ACLs | AES-256 at rest, TLS in transit | Schema changes, migrations, backup events |
| Architect | Session tokens, CLI keys | Project/environment permissions | TLS for all API calls | Every deployment, config change, rollback |
| Observe | SDK keys, session tokens | Module-level read/write permissions | TLS ingest, AES-256 at rest per module DB | Ingest events, dashboard access, alert changes |
| Video | Session tokens, upload keys | Project-scoped upload/view permissions | TLS upload, encrypted storage | Upload, transcode, access, deletion events |
| Pilot | Session tokens, agent keys | Workflow/environment permissions | TLS, secrets redacted before persist | Every agent run, tool call, approval event |
| Tests | CI tokens, session tokens | Suite/project-level permissions | TLS for results, at-rest for artifacts | Test runs, flake detection, coverage changes |
| Toolbar | Session tokens (WSS) | Workspace-scoped permissions | WSS-only (TLS WebSocket) | Connection events, command invocations |
Data flow
How data moves through Cuitty at every stage, from rest to transit to key management.
All data is stored in libSQL databases with AES-256 encryption. Each tenant gets its own isolated database. Self-hosted customers control the encryption keys directly; Cloud customers can use BYOK on the Enterprise tier.
TLS 1.2+ on every HTTP endpoint. WebSocket connections (Toolbar, live events) use WSS exclusively. Internal service-to-service communication is secured with mutual TLS (mTLS), with certificates rotated automatically.
Event → HMAC sign → edge verify → module ingest → persist. Every event is signed at the source, verified at the edge before it reaches any module, and the signature is stored alongside the payload for later verification.
Per-project webhook secrets are generated on project creation and rotatable via the API or CLI at any time. Rotation is zero-downtime: both the old and new key are valid during a configurable grace period. BYOK is available on the Enterprise tier for full custody of encryption keys.
Compliance posture
Current status across Cloud and self-hosted deployments.
| Standard | Cloud | Self-Hosted | Details |
|---|---|---|---|
| SOC 2 Type II | In progress | N/A (your controls) | Targeting Q3 2026 certification for Cloud |
| GDPR | DPA available | Full control | Data processing agreement on request; EU data residency option |
| HIPAA | Planned (2027) | Customer responsibility | BAA available on Enterprise tier upon certification |
| Data residency | US, EU, AP | 100% your choice | Cloud regions: us-east, eu-west, ap-southeast |
| BYOK | Enterprise tier | Default (your keys) | Bring your own encryption keys for all data at rest |
| Air-gap | N/A | Offline tarball | Fully offline installation with no external network calls |
| Vulnerability scanning | Continuous | Bundled scanner | Socket Firewall + Trivy container scanning on every build |
| Penetration testing | Annual (Q3 2026) | Customer-led | Third-party pen test; report available under NDA |
- ✓ HMAC-SHA256 payload signing
- ✓ SpiceDB authorization (Zanzibar)
- ✓ BetterAuth authentication
- ✓ Tamper-evident audit chain
- ✓ TLS 1.2+ on all endpoints
- ✓ mTLS between services
- • SOC 2 Type II certification (Q3 2026)
- • Third-party penetration test report (Q3 2026)
- • HIPAA BAA (2027)
- • ISO 27001 (2027)
Operational security
Security is not just the product. It is how we build, ship, and respond.
Every install routes through Socket Firewall (sfw). Dependencies are pinned to exact versions with stability days enforced. Renovate auto-updates are gated on security review for sensitive packages.
Reproducible builds with locked dependencies. SBOM generated for every release. Signed container images published to a private registry. CI runs Socket, Trivy, and type-checking on every commit.
48-hour acknowledgment SLA for all security reports. Dedicated incident response runbook. Post-incident reviews published to affected customers. Contact: [email protected].
Least-privilege access for all employees. No standing admin access to production systems. Every access event is audit-logged. Production access requires approval and is time-boxed.
Responsible disclosure
- All 8 Cuitty products (Code, Persist, Architect, Observe, Video, Pilot, Tests, Toolbar)
- cuitty.com and all subdomains
- Cloud infrastructure and APIs
- Third-party services and integrations
- Social engineering attacks
- Denial-of-service (DoS/DDoS) attacks
- Email your report to [email protected]
- Receive acknowledgment within 48 hours
- We target a fix within 90 days of confirmation
- Public disclosure + credit after the fix ships
We will not pursue legal action against researchers acting in good faith. If you follow responsible disclosure practices, you are safe. PGP key available at /security.txt.
Need a security review?
Download our security whitepaper, request a vendor questionnaire response, or schedule a call with our security team.