A plain security packet without borrowed compliance claims.
Skylos is early and does not claim SOC 2, ISO 27001, or CSA STAR certification today. This page documents the controls that are present in the application, the data Skylos Cloud handles, the providers involved, and the gaps we still need to close.
Last code-vetted review: May 16, 2026
Current packet
A public, code-vetted overview for lightweight buyer reviews and early procurement conversations.
Self-assessment first
We are documenting current controls before pursuing SOC 2, ISO 27001, CSA validation, or third-party audit marks.
No overclaiming
If a control is not implemented or externally audited, this page says so directly.
Code-vetted security checklist
These are statements we can tie back to repository code, config, or migrations. They are not a third-party audit opinion.
Authenticated workspace access
Dashboard routes use Supabase SSR sessions and organization membership checks before loading workspace data.
Code-vetted route and session controls
Role-based permissions
The app separates viewer, member, admin, and owner permissions. Credit-spending actions require a dedicated spend:credits permission.
Code-vetted permission matrix
Project API key hashing
Project upload keys are generated with the sk_live_ prefix and stored as SHA-256 hashes. Secondary keys can be issued and revoked for rotation.
Code-vetted credential lifecycle
Restricted GitHub OIDC uploads
Tokenless CI accepts GitHub OIDC tokens only after issuer, audience, repository owner, push event, branch ref, and subject checks pass.
Code-vetted identity checks
Bounded report ingestion
Cloud report uploads cap request size, finding count, snippets, messages, and file paths before storing scan evidence.
Code-vetted upload limits
Security headers and CSP
The app sets a nonce-backed Content Security Policy plus HSTS, frame protection, no-sniff, referrer, and permissions-policy headers.
Code-vetted response headers
Public scanner limits
The no-signup public scanner accepts GitHub repository URLs only, caps request size, uses server-side rate and concurrency leases, and cleans temporary clone directories.
Code-vetted public scan controls
Safer CSV exports
CSV output goes through a shared encoder that quotes cells and neutralizes spreadsheet formula prefixes.
Code-vetted export encoder
Marketing analytics bounds
Marketing page-view events require a trusted origin, cap request size, sanitize nested attribution fields, and write through a server-side analytics path.
Code-vetted analytics route and sanitization
Data Skylos Cloud may store
- Workspace, organization, project, member, role, and billing metadata
- Scan metadata such as project, commit, branch, tool version, upload method, and CI context
- Finding records, rule identifiers, severity, file paths, line numbers, remediation state, and optional snippets
- Optional AI provenance, defense, debt, and compliance evidence when those scan modes are uploaded
- Team workflow records such as assignments, comments, suppressions, overrides, exception requests, and activity entries
- Optional AI action context when a user explicitly triggers AI triage, fix, or compliance report features
What we do not claim today
- Skylos is not SOC 2 certified today.
- Skylos does not claim ISO/IEC 27001 certification today.
- Skylos does not claim CSA STAR certification or a paid third-party badge today.
- Skylos does not offer SAML SSO, SCIM, dedicated tenancy, private networking, or formal data residency guarantees today.
- Skylos does not publish a completed third-party penetration test report today.
Providers and optional integrations
Skylos uses managed providers rather than dedicated customer infrastructure today. Optional integrations only apply when a workspace configures or triggers the related feature.
| Provider | Purpose |
|---|---|
| Vercel | Application hosting, deployment, edge delivery, and web analytics |
| Supabase | Authentication, Postgres database, row-level security, and object storage |
| GitHub | GitHub App integration, repository metadata, pull request workflows, and OIDC identity |
| Lemon Squeezy | Checkout, payments, invoices, refunds, and billing records |
| OpenAI | Optional AI-assisted fixes, triage, and compliance reports when a user triggers those features |
| Slack and Discord | Optional customer-configured notification destinations |
Available now
- Security overview and data handling summary
- Operational provider and optional integration list
- Vulnerability disclosure contact and security.txt
- Role and permission summary
- Report upload and public scanner data-flow notes
- Known compliance gap statement for SOC 2, ISO 27001, and CSA STAR
Roadmap
- CAIQ-Lite answer file based on the current code-vetted checklist
- Public DPA and formal subprocessor notice process
- Self-serve organization deletion and retention controls
- Hosted status provider with incident history
- Third-party penetration test summary
- SOC 2 Security criteria control map before any auditor engagement
- SAML or enterprise OIDC SSO, SSO-only enforcement, and SCIM
Security review contact
For security questions, report requests, or vulnerability reports, contact aaron@skylos.dev. For buyer reviews, we can provide this trust summary and a current control checklist without claiming third-party compliance.