Security & Privacy

Our Security Philosophy

At AetherCI, we understand that you're trusting us with sensitive CI/CD data including deployment logs, YAML configurations, error messages, and insights into your technology stack. Security isn't a feature we add later—it's built into every layer of our platform from day one.

Our commitment: Your data is never used to train AI models, never shared with third parties, and protected by multiple layers of security following industry best practices.

AI Analysis & Data Privacy

Powered by Anthropic Claude API

We use Anthropic's Claude AI to perform root cause analysis on your CI/CD failures. Claude is specifically designed with enterprise privacy and safety in mind.

Zero Data Retention (ZDR)

For our Enterprise tier, we utilize Anthropic's Zero Data Retention feature, which means:

No storage: Your prompts, outputs, and metadata are never persisted on Anthropic's systems
Real-time only: Data is analyzed in real-time and immediately discarded
No training: Your data is never used to train or improve AI models
30-day deletion: Any cached data is automatically removed within 30 days

What Data Does the AI See?

When analyzing a CI/CD failure, Claude receives only the necessary context:

Build/deployment logs (error messages, stack traces)
Git commit metadata (messages, branch names, changed file paths)
Workflow configuration excerpts (relevant YAML sections)
Integration status information

We never send your full source code, secrets, API keys, or credentials to the AI.

Enterprise Option: We're developing a "Bring Your Own API Key" (BYOK) feature that allows you to use your own Anthropic API account, giving you direct control over the AI provider relationship and usage visibility. Contact us if this is important for your organization.

Platform Security Architecture

Multi-Tenant Data Isolation

We implement Row Level Security (RLS) in our database to ensure complete data isolation between organizations:

Database-enforced isolation: PostgreSQL RLS policies prevent cross-organization data access at the database level
Authenticated access only: Every query includes user authentication and organization membership validation
No shared data: Your projects, analyses, and integrations are only accessible to your organization

Encryption

We protect your data with industry-standard encryption:

In transit: TLS 1.2+ for all network requests (HTTPS)
At rest: AES-256 encryption for all stored data
Secrets management: Integration credentials (GitHub tokens, API keys, etc.) are encrypted using application-level encryption with Fernet (symmetric encryption)
Key management: Encryption keys are stored securely in environment variables, never in code or version control

Authentication & Authorization

Supabase Auth: Industry-standard authentication with JWT tokens
Session management: Short-lived access tokens (15 minutes) with secure refresh token rotation
Role-based access control: Granular permissions based on organization membership
OAuth integrations: When connecting to GitHub, AWS, etc., we only request the minimum required permissions

Infrastructure Security

Hosted on secure infrastructure: Backend on Render.com, database on Supabase, frontend on Netlify
Automated backups: Daily database backups with point-in-time recovery
DDoS protection: Rate limiting on all API endpoints to prevent abuse
Security monitoring: Automated alerts for suspicious activity and authentication failures

Compliance & Certifications

Current Status

GDPR Ready

SOC 2 In Progress

Compliance Standards

We're committed to meeting enterprise compliance requirements:

GDPR: Data Processing Agreements (DPA) available, right to deletion, data encryption, access controls, audit logging
SOC 2 Type II: Currently in progress (6-12 month timeline) - demonstrates our commitment to security, availability, and confidentiality
ISO 27001: Roadmap for 2026

Data Processing Agreement (DPA)

For enterprise customers, we provide a Data Processing Agreement that outlines our responsibilities under GDPR and other data protection regulations. Contact us to request a DPA.

Third-Party Security

Our infrastructure partners maintain their own compliance certifications:

Anthropic Claude: SOC 2 Type II, ISO 27001, HIPAA-configurable
Supabase: SOC 2 Type II, ISO 27001, HIPAA-compliant
Render.com: SOC 2 Type II
Netlify: SOC 2 Type II

Enterprise Privacy Options

We understand that enterprise organizations have unique security requirements. Here are the privacy options we offer or are developing:

Feature	Standard	Enterprise	BYOK (Roadmap)
AI Provider	Platform-managed Claude API	Platform-managed with ZDR	Your own Anthropic account
Data Retention	Standard retention policies	Zero Data Retention (ZDR)	Your control via Anthropic
AI Usage Visibility	Dashboard analytics	Dashboard analytics	Direct in Anthropic console
Compliance	GDPR, DPA available	GDPR, SOC 2, DPA, BAA (upon request)	Your Anthropic contract terms
Support SLA	Email support	Priority support + Slack channel	Priority support + Slack channel

Bring Your Own API Key (BYOK) - Coming Soon

We're developing a feature that allows enterprise customers to use their own Anthropic API key. This provides:

Direct provider relationship: Your own contract with Anthropic
Complete usage transparency: See AI usage in your Anthropic console
Cost control: Pay Anthropic directly, lower AetherCI platform fee
Enhanced privacy: Additional layer of control over data processing

Join our early access list if BYOK is important for your organization.

Private Deployment (Future)

For organizations with strict data residency or air-gapped requirements, we're exploring private deployment options including:

Deployment within your VPC (AWS, GCP, Azure)
On-premises installation
Integration with Claude via AWS Bedrock or Google Vertex AI for complete network isolation

This option is typically suited for post-Series B companies or heavily regulated industries. Contact us to discuss your requirements.

Development & Operational Security

Secure Development Practices

Code review: All code changes require review before deployment
Automated testing: Security and integration tests run on every commit
Dependency scanning: Automated vulnerability scanning of third-party packages
Secrets scanning: Pre-commit hooks prevent accidental credential commits
Security-first design: Following OWASP Top 10 guidelines and threat modeling

Incident Response

In the unlikely event of a security incident:

24/7 monitoring: Automated alerts for suspicious activity
Incident response plan: Documented procedures for containment and remediation
Customer notification: We commit to notifying affected customers within 72 hours
Transparency: Post-incident reports shared with enterprise customers

Audit Logging

We maintain comprehensive audit logs of all significant actions:

Authentication events (login, logout, failed attempts)
Integration changes (added, modified, removed)
Project configuration changes
AI analysis requests
Data access patterns

Enterprise customers can request audit log exports for compliance purposes.

Frequently Asked Questions

How do you protect my source code and intellectual property?

We only analyze the information necessary to diagnose CI/CD failures: logs, error messages, commit metadata, and relevant configuration excerpts. We never request access to your full source code repositories. Integration credentials are encrypted at rest using AES-256, and your data is isolated from other organizations using database-level Row Level Security.

Is my data used to train AI models?

No. We use Anthropic's Claude API which has a strict policy of never using customer data to train AI models. For Enterprise customers, we enable Zero Data Retention (ZDR), which means your data is analyzed in real-time and never stored on Anthropic's systems.

What happens if I delete my account?

All your data is permanently deleted from our systems within 30 days, including projects, analyses, integration configurations, and audit logs. We use database cascading deletes to ensure complete removal. You can request account deletion at any time from your account settings.

Can I use my own Anthropic API key?

This feature is currently in development as part of our Enterprise offering. It will allow you to use your own Anthropic account, giving you direct control over the AI provider relationship and cost. Contact us to join the early access program.

Do you support private/on-premises deployment?

We're currently focused on our secure SaaS offering. Private deployment options (VPC, on-premises) are on our roadmap for late 2025/early 2026, primarily for enterprise customers with strict data residency requirements. If this is a requirement for your organization, please reach out to discuss your needs.

Are you SOC 2 compliant?

We are currently working toward SOC 2 Type II certification (6-12 month process). In the meantime, we follow SOC 2 best practices including encryption at rest and in transit, access controls, audit logging, and regular security reviews. Our infrastructure partners (Supabase, Render, Anthropic) all maintain SOC 2 Type II certification.

How do you handle GDPR compliance?

We are GDPR-ready with: data encryption, access controls, audit logging, right to deletion, and Data Processing Agreements (DPA) available for enterprise customers. Our database infrastructure is hosted by Supabase, which is ISO 27001 certified and GDPR-compliant.

What regions is my data stored in?

Our primary database is hosted on Supabase in the US region. For Enterprise customers with specific data residency requirements, we can discuss options including EU-based hosting or integration with regional AI providers (AWS Bedrock, Google Vertex AI).

How do I report a security vulnerability?

We take security vulnerabilities seriously. Please report any issues to security@aetherci.com. We commit to acknowledging your report within 48 hours and providing updates on remediation progress. For sensitive disclosures, we can provide PGP encryption details upon request.

Questions About Security?

If you have specific security requirements or questions not covered here, we'd love to hear from you. Enterprise customers can request:

Security questionnaire responses
Data Processing Agreements (DPA)
Vendor security assessments
Custom compliance documentation
Architecture review sessions

Contact Security Team