Skip to content
DevOps AI ToolKit
Newsletter
Trust Center

Security

Security practices for DevOps AI Toolkit

Our approach

DevOps AI Toolkit is built and run by a senior systems engineer with a production-operations mindset — the same discipline we bring to the infrastructure we audit. Our philosophy is simple:

  • Security-first development. Security is a design input, not an afterthought bolted on later.
  • Least privilege. Services and integrations get the minimum access they need — nothing more.
  • Privacy-focused design. The core tools (validators) run entirely in your browser; nothing is uploaded.
  • No unnecessary data collection. We do not collect customer data we do not need to operate the product.
  • Production engineering mindset. We treat this platform like the production systems we run for a living.
In place today

Infrastructure security

HTTPS everywhere

In place

All traffic is served over HTTPS and redirected from HTTP.

Modern TLS

In place

TLS is terminated by a Caddy reverse proxy using modern ciphers and automatic certificate management.

Managed authentication

In place

Member authentication is handled by a dedicated identity provider (Clerk) rather than a home-grown system.

Password hashing

In place

Credentials are hashed by the identity provider — passwords are never stored in plaintext by us.

Reduced attack surface

In place

The public site is static-generated; secrets and privileged logic stay server-side, never in the browser bundle.

Regular dependency updates

In place

Dependencies are reviewed and updated regularly to pick up upstream security fixes.

Automated dependency scanning

Planned

Continuous vulnerability scanning of third-party dependencies in CI.

Data protection

How your data is handled

Account protection

Member accounts, sessions, and billing are managed through established providers (Clerk for auth, Stripe for payments) — we never see or store raw card data.

Minimal data retention

Public guides, prompts, and validators require no account. We only retain what a signed-in member creates (saved prompts, history) and nothing more.

Encryption in transit

All data moves over encrypted HTTPS/TLS connections between your browser, our services, and third-party providers.

No plaintext passwords

Passwords are hashed by the identity provider. We have no access to, and never store, plaintext credentials.

AI privacy

Using the AI tools safely

  • Your prompts are processed only to generate the outputs you request — the validators run entirely client-side, and the Incident Assistant sends your input to an AI provider solely to produce a response.
  • Avoid submitting secrets, passwords, private keys, or confidential production credentials unless you understand the associated risks of sending data to any AI service.
  • Sanitize sensitive infrastructure data — redact hostnames, tokens, and IPs — before sharing it with this or any AI tool. Our prompt library is written with redaction in mind.
Responsible disclosure

Report a vulnerability

If you discover a security issue, please report it responsibly rather than disclosing it publicly. We aim to acknowledge reports promptly and work to resolve verified vulnerabilities. Please include steps to reproduce and any relevant details.

Contact Security
Roadmap

Planned security features

These are planned enhancements aimed at enterprise teams — they are not available today. Several relate to the Enterprise roadmap.

  • PlannedSingle Sign-On (SSO)
  • PlannedAudit logging
  • PlannedAPI tokens
  • PlannedOrganization management
  • PlannedRole-based access control (RBAC)
  • PlannedMulti-factor authentication (MFA)
  • PlannedSCIM provisioning
  • PlannedSecurity event history

See how these practices support real engagements on Enterprise and Case Studies, review our support tiers on the SLA page, or check live System Status.