Security & Compliance
Your trust is our foundation. Skopx implements enterprise-grade security at every layer to protect your code, data, and intellectual property.
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
Row-Level Security
Complete data isolation
PCI DSS Level 1
Via Stripe
Section 1
Executive Summary
Skopx is an enterprise AI platform that processes sensitive business data, code repositories, and organizational knowledge. Security is built into every layer of the architecture.
AES-256-CBC encryption at rest with unique random salt and IV per operation
TLS 1.3 encryption in transit with HSTS enforcement (2-year max-age)
PostgreSQL Row-Level Security (RLS) enforcing complete multi-tenant data isolation
No payment data stored by Skopx. All payment processing handled entirely by Stripe (PCI DSS Level 1)
Role-based access control with Owner, Admin, Member, and Viewer permission levels
Comprehensive audit logging via database-level triggers on all critical operations
BYOK (Bring Your Own Key) support for enterprise users who want full control of their AI provider credentials
Zero model training on user data. Your data is never used to train AI models
Section 2
Platform Architecture
| Component | Technology | Security Role |
|---|---|---|
| Application Framework | Next.js 14 (App Router) | Server-side rendering, middleware-based auth |
| Database | Supabase PostgreSQL | Row-Level Security, encrypted connections |
| Authentication | Supabase Auth | JWT sessions, HTTP-only secure cookies |
| Payments | Stripe | PCI DSS Level 1, no card data on our servers |
| AI Provider | Anthropic Claude | No training on customer data per Anthropic policy |
| Hosting | Railway | Managed infrastructure with TLS termination |
| Encryption | Node.js crypto (AES-256-CBC) | All credentials encrypted before storage |
Section 3
Encryption and Key Management
3.1 Encryption at Rest
All sensitive credentials stored in the database are encrypted using AES-256-CBC before being written. This includes OAuth tokens (GitHub, GitLab), database connection configurations, and user-supplied API keys.
| Parameter | Value | Purpose |
|---|---|---|
| Algorithm | AES-256-CBC | Industry-standard symmetric encryption |
| Key Derivation | scrypt (32-byte output) | Memory-hard function resistant to GPU/ASIC attacks |
| Salt | Random 16 bytes per operation | Prevents rainbow table attacks |
| Initialization Vector | Random 16 bytes per operation | Ensures identical data produces different ciphertext |
| Ciphertext Format | salt:iv:encrypted (hex) | Self-contained, no external lookup needed |
| Key Source | Environment variable (server-only) | Never committed to code or exposed client-side |
3.2 Encryption in Transit
All client-server communication is encrypted using TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age and includeSubDomains directive, ensuring browsers always use HTTPS connections.
3.3 Key Management
Encryption keys are managed through environment variables that are:
- Stored in the hosting platform's secret manager (Railway)
- Never committed to source code or version control
- Rotatable without data migration (new encryption operations use new keys)
- Segregated by purpose: separate keys for OAuth tokens vs. database configs
- Fail-hard: missing keys cause immediate startup failure, not silent degradation
Section 4
Authentication and Access Control
4.1 Authentication
Skopx uses Supabase Auth, built on PostgreSQL, for user authentication:
Session tokens: JWT stored in secure HTTP-only cookies via @supabase/ssr
Token validation: Every protected route calls getUser() to verify the session against the auth server
Password requirements: Minimum 10 characters, must include uppercase, lowercase, digit, and special character
OAuth support: GitHub and GitLab OAuth 2.0 for repository integrations
4.2 Role-Based Access Control (RBAC)
Organizations use a four-tier permission model:
| Role | Permissions |
|---|---|
| Owner | Full control: manage members, billing, integrations, data, and organization settings. Can delete the organization. |
| Admin | Manage members, integrations, and projects. Cannot modify billing or delete the organization. |
| Member | Create and manage their own projects, conversations, and data queries. Can view shared resources. |
| Viewer | Read-only access to shared projects and resources. Cannot create or modify data. |
4.3 Subscription Enforcement
Authentication middleware enforces subscription status at the routing level:
- Active subscriptions: full platform access
- Past-due: 3-day grace period before access is restricted
- Cancelled: redirected to billing page
- Pending: redirected to pricing page
Section 5
Data Isolation and Multi-Tenancy
5.1 Row-Level Security (RLS)
Every user-facing database table has PostgreSQL Row-Level Security enabled. RLS policies are enforced at the database engine level, meaning that even if application code has a bug, the database itself prevents unauthorized data access.
- Users can only read/write data belonging to their organization
- Organization membership is verified via subquery on every data access
- Role-based permissions (admin vs. member vs. viewer) are checked per operation
- Service-role operations (admin-level) use a separate, server-only credential
5.2 Organization-Scoped Data
All data tables include an organization_id foreign key. Data relationships cascade properly:
- Deleting a user cascades to their profiles, connections, and API keys
- Deleting an organization cascades to all projects, conversations, integrations, repos, tasks, usage events, and audit logs
- No orphaned data remains after account or organization deletion
5.3 Sensitive Data Separation
Highly sensitive tables use service-role-only access:
user_api_keys: Encrypted API keys accessible only via server-side service role
organization_billing: Stripe subscription data, scoped to organization admins
audit_logs: Immutable operation history, viewable only by org admins
Section 6
Payment Security
Skopx does not process, transmit, or store any payment card information. All payment operations are fully delegated to Stripe, which maintains PCI DSS Level 1 certification (the highest level of payment security compliance).
6.1 Payment Data Flow
- User clicks "Subscribe" and is redirected to a Stripe-hosted checkout page
- Card details are entered directly on Stripe's domain (never on skopx.com)
- Stripe processes the payment and sends a webhook notification to Skopx
- Skopx verifies the webhook signature (HMAC) before processing
- Only non-sensitive metadata (subscription ID, status, period dates) is stored
6.2 What Skopx Does NOT Store
| Data Type | Stored by Skopx? | Handled By |
|---|---|---|
| Credit/debit card numbers | No | Stripe only |
| CVV / security codes | No | Stripe only |
| Card expiration dates | No | Stripe only |
| Bank account details | No | Stripe only |
| Billing address | No | Stripe only |
| Stripe customer ID | Yes (non-sensitive) | Skopx database |
| Subscription ID and status | Yes (non-sensitive) | Skopx database |
| Billing period and plan tier | Yes (non-sensitive) | Skopx database |
6.3 Webhook Security
All Stripe webhook events are verified using HMAC signature verification before processing. Events with missing or invalid signatures are rejected with a 400 status code. The webhook secret is stored as an environment variable and never exposed in client-side code.
Section 7
API and Network Security
7.1 Security Headers
| Header | Value / Policy |
|---|---|
| Content-Security-Policy | Restrictive: default-src 'self', frame-ancestors 'none' |
| Strict-Transport-Security | max-age=31536000; includeSubDomains (2-year HSTS) |
| X-Frame-Options | DENY (prevents clickjacking) |
| X-Content-Type-Options | nosniff (prevents MIME sniffing) |
| Referrer-Policy | strict-origin-when-cross-origin |
| X-XSS-Protection | 1; mode=block |
| Permissions-Policy | camera=(), microphone=(self), geolocation=(self) |
| X-Powered-By | Removed (framework version hidden) |
7.2 Rate Limiting
API requests: 100 requests per minute per client
Authentication attempts: 10 attempts per 15 minutes per client
Data queries: 50 queries per minute per client
Rate limit responses include X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers.
7.3 Input Validation
- Email format validation on authentication
- Password complexity enforcement (min 10 chars, mixed case, digit, special)
- Message length limits on chat/query endpoints
- Repository name format validation (regex-based)
- Enum validation for plan types, project statuses
- Stripe checkout parameters clamped to valid ranges
7.4 Image Domain Allowlisting
External image loading is restricted to an explicit allowlist of trusted domains. No arbitrary external images can be loaded, preventing image-based tracking and SSRF attacks.
Section 8
Audit Logging and Monitoring
Skopx maintains comprehensive audit logs for all critical database operations via PostgreSQL database-level triggers.
8.1 What is Logged
User identity: Which user performed the action
Organization: Which organization the action belongs to
Action type: INSERT, UPDATE, or DELETE
Target table: Which database table was affected
Previous values: Snapshot of data before the change
New values: Snapshot of data after the change
Timestamp: Exact time of the operation
8.2 Audit Log Access
- Audit logs are protected by Row-Level Security
- Only organization administrators can view their organization's audit trail
- Audit log entries are immutable (no UPDATE or DELETE operations allowed on the logs)
- Usage events tracked separately for billing reconciliation and anomaly detection
Section 9
Data Privacy and Ownership
9.1 Your Data, Your Control
- You retain full ownership of all data uploaded to or generated within Skopx
- Export your data anytime in standard formats (Excel, Word, PowerPoint, PDF)
- No vendor lock-in: your data structure is transparent and accessible
- Account deletion permanently removes all associated data via cascade delete
9.2 AI Model Training
Skopx does not train AI models on customer data. When processing your queries:
- Your data is sent to Anthropic Claude for processing and returned
- Anthropic does not use API-submitted data for model training
- BYOK users: data flows directly to your own Anthropic account
- No customer data is shared with third parties for any training purpose
9.3 BYOK (Bring Your Own Key)
Enterprise users can supply their own Anthropic API keys:
- Keys are encrypted with AES-256-CBC before storage (unique salt/IV per key)
- Keys are scoped to the individual user (one key per provider per user)
- Keys are only accessible via service-role database operations (never client-exposed)
- Keys are never logged, never appear in API responses (only masked display: sk-ant-****)
- Keys can be deleted instantly, which removes the encrypted credential permanently
9.4 Data Deletion
When a user or organization is deleted, all associated data is permanently removed:
- User deletion cascades to: profiles, organization memberships, connections, API keys
- Organization deletion cascades to: all projects, conversations, integrations, repositories, tasks, usage events, audit logs
- Deletion is permanent with no soft-delete retention period for sensitive data
- No orphaned data or references remain after deletion
Section 10
Compliance Posture
| Framework | Status | Details |
|---|---|---|
| PCI DSS Level 1 | Active (via Stripe) | No payment data touches Skopx servers. Stripe maintains Level 1 certification. |
| GDPR | Aligned | Data ownership, right to deletion, data minimization, and BYOK for EU data control. |
| SOC 2 Type II | Controls in Place | Access controls, encryption, audit logging, and monitoring aligned with SOC 2 trust principles. |
| ISO 27001 | Aligned | Information security management practices follow ISO 27001 framework. |
| CCPA | Aligned | California Consumer Privacy Act: data access, deletion, and portability rights supported. |
"Controls in Place" means the technical controls required by the framework are implemented in the platform. "Aligned" means the platform follows the framework's principles and practices.
Section 11
Incident Response
Skopx follows a structured incident response process:
Detection
Monitoring and automated alerting for security events and anomalies.
Assessment
Immediate triage to determine scope, severity, and affected systems.
Containment
Isolate affected systems to prevent further impact or spread.
Communication
Transparent notification to affected customers within 72 hours of confirmed incident.
Resolution
Fix the root cause vulnerability and restore normal operations.
Review
Post-incident analysis, documentation, and process improvements to prevent recurrence.
Security vulnerabilities can be reported to team@skopx.com. We acknowledge all reports within 24 hours.
Section 12
Third-Party Dependencies
Skopx integrates with the following third-party services. Each is selected for its security posture and compliance certifications:
| Service | Purpose | Security Posture |
|---|---|---|
| Stripe | Payment processing | PCI DSS Level 1, SOC 2 Type II certified |
| Supabase | Database and authentication | SOC 2 Type II, encrypted connections, RLS |
| Anthropic | AI model provider | SOC 2 Type II, no API data used for training |
| Railway | Application hosting | SOC 2 Type II, managed TLS, isolated containers |
| GitHub/GitLab | Repository integration | OAuth 2.0, encrypted token storage in Skopx |
This document is maintained by the Skopx team. For questions, security questionnaires, or to report a vulnerability, contact team@skopx.com.
Last updated: May 27, 2026