Security

Artifacts and credentials,
treated like they matter.

The current code is designed for private artifact handling, protected access material, and disclosed AI boundaries. Production verification remains a launch gate.

Private artifact storage

Build APKs and review artifacts are stored in authenticated buckets. No public URLs or CDN exposure.

Pixel-redacted credentials

Test credentials are encrypted at rest and kept out of logs and screenshots through capture-time redaction.

Workspace-aware API access

Automation access checks the key owner and current workspace membership before an app or review can be read or changed.

AI processing disclosure

AI processing services and data boundaries are documented so teams can review how report synthesis works.

Commitments

What we promise.

  • Build artifacts are stored privately in authenticated cloud storage.
  • Authentication credentials are encrypted at rest and excluded or pixel-redacted before AI model calls.
  • API access enforces owner/workspace membership with audit-friendly logging.
  • AI usage is disclosed, with fail-closed redaction at each external processing boundary.
  • Findings are grounded to runtime evidence.
  • Verification history is preserved per finding for compliance and calibration.
Read AI disclosure
Compliance roadmap

Current controls and planned milestones.

Implemented means present in the current codebase. Contractual commitments and independently verified production status are stated separately.

  • Encryption at rest and in transitImplemented
  • Fail-closed redaction before AI model callsImplemented
  • AI processing disclosureImplemented
  • Workspace audit logImplemented
  • SOC 2 Type 1Planned
  • SOC 2 Type 2Planned
  • SSO and SAMLPlanned
  • On-prem deploymentFuture

Security contact.

Email security@caraxe.app for responsible disclosure or compliance details.