Security
Security practices for DevOps AI Toolkit
Our approach
DevOps AI Toolkit is built and run by a senior systems engineer with a production-operations mindset — the same discipline we bring to the infrastructure we audit. Our philosophy is simple:
- Security-first development. Security is a design input, not an afterthought bolted on later.
- Least privilege. Services and integrations get the minimum access they need — nothing more.
- Privacy-focused design. The core tools (validators) run entirely in your browser; nothing is uploaded.
- No unnecessary data collection. We do not collect customer data we do not need to operate the product.
- Production engineering mindset. We treat this platform like the production systems we run for a living.
Infrastructure security
HTTPS everywhere
In placeAll traffic is served over HTTPS and redirected from HTTP.
Modern TLS
In placeTLS is terminated by a Caddy reverse proxy using modern ciphers and automatic certificate management.
Managed authentication
In placeMember authentication is handled by a dedicated identity provider (Clerk) rather than a home-grown system.
Password hashing
In placeCredentials are hashed by the identity provider — passwords are never stored in plaintext by us.
Reduced attack surface
In placeThe public site is static-generated; secrets and privileged logic stay server-side, never in the browser bundle.
Regular dependency updates
In placeDependencies are reviewed and updated regularly to pick up upstream security fixes.
Automated dependency scanning
PlannedContinuous vulnerability scanning of third-party dependencies in CI.
How your data is handled
Account protection
Member accounts, sessions, and billing are managed through established providers (Clerk for auth, Stripe for payments) — we never see or store raw card data.
Minimal data retention
Public guides, prompts, and validators require no account. We only retain what a signed-in member creates (saved prompts, history) and nothing more.
Encryption in transit
All data moves over encrypted HTTPS/TLS connections between your browser, our services, and third-party providers.
No plaintext passwords
Passwords are hashed by the identity provider. We have no access to, and never store, plaintext credentials.
Using the AI tools safely
- Your prompts are processed only to generate the outputs you request — the validators run entirely client-side, and the Incident Assistant sends your input to an AI provider solely to produce a response.
- Avoid submitting secrets, passwords, private keys, or confidential production credentials unless you understand the associated risks of sending data to any AI service.
- Sanitize sensitive infrastructure data — redact hostnames, tokens, and IPs — before sharing it with this or any AI tool. Our prompt library is written with redaction in mind.
Report a vulnerability
If you discover a security issue, please report it responsibly rather than disclosing it publicly. We aim to acknowledge reports promptly and work to resolve verified vulnerabilities. Please include steps to reproduce and any relevant details.
Contact SecurityPlanned security features
These are planned enhancements aimed at enterprise teams — they are not available today. Several relate to the Enterprise roadmap.
- PlannedSingle Sign-On (SSO)
- PlannedAudit logging
- PlannedAPI tokens
- PlannedOrganization management
- PlannedRole-based access control (RBAC)
- PlannedMulti-factor authentication (MFA)
- PlannedSCIM provisioning
- PlannedSecurity event history
See how these practices support real engagements on Enterprise and Case Studies, review our support tiers on the SLA page, or check live System Status.