Detailed Security Review

Google OAuth 2.0 (OIDC) is supported for self-serve users. SAML 2.0 federation is standard on the Enterprise tier. It integrates with Microsoft Entra ID (Azure AD), Okta, Ping Identity, and ADFS.

We inherit MFA configurations enforced by your identity providers (SSO/SAML/Google). We do not store passwords, meaning all verification flags run through your existing security checkpoints.

Yes. Workspace-level roles include Owner, Editor, and Viewer. RBAC is verified in application middlewares and database query rules.

No. Authentication is fully passwordless via magic email links, Google SSO, and SAML integrations.

We collect uploaded code files/queries solely to modernize them. Metadata like transaction counts, workspace configuration, and audit security events are stored. Code structures are never used to train public LLM agents.

Yes. Accounts undergo a 30-day soft-delete period, followed by complete physical erasure from all active servers. Backups are overwritten on a rolling 30-day cycle.

TLS 1.3 is enforced on all ingress APIs. Internal micro-service endpoints communicate via Google’s TLS envelopes. Downgrade requests are blocked.

AES-256 encryption is applied via GCP defaults. KMS Customer-Managed Encryption Keys (CMEK) can be provisioned on Enterprise.

Yes. All codebase modifications require pull request reviews by certified senior developers and clear automated validation pipelines before shipping.

Yes. Automated scanners inspect dependencies daily. High and critical CVEs trigger build halts and patch requirements.