SECURITY

Your code is sacred.

Here's how we protect it.

Local-First Architecture

StateSpine is built on a local-first principle. Your code, your projects, and your work stay on your machine by default.

This isn't just a feature — it's a fundamental design decision. We can't access your code because it never leaves your computer unless you explicitly choose to sync it.

Stored Locally

  • • All project files
  • • Version history (Timeline)
  • • AI embeddings
  • • Preferences and settings

Works Offline

  • • Full editing capabilities
  • • Local AI assistance
  • • Version control
  • • Guardian monitoring

Encryption

If you choose to use cloud features (sync, collaboration), your data is protected with industry-standard encryption.

In Transit

All data transmitted between your device and our servers uses TLS 1.3 encryption. We enforce HTTPS everywhere with HSTS preloading.

At Rest

Data stored on our servers is encrypted using AES-256. Encryption keys are managed securely and rotated regularly.

End-to-End (for Synced Code)

When you sync projects to the cloud, they're encrypted on your device before upload using keys derived from your credentials. We cannot read your synced code — only you can decrypt it.

Authentication

Your account security is critical. We implement multiple layers of protection.

Password Security: Passwords are hashed using bcrypt with appropriate cost factors. We never store or transmit plain text passwords.

Two-Factor Authentication: Optional but recommended. Supports TOTP authenticator apps.

Session Management: Sessions are cryptographically secure, expire appropriately, and can be revoked remotely.

Device Tracking: We track authorized devices so you can see and revoke access from unfamiliar locations.

Infrastructure Security

Our backend infrastructure is designed with security as a primary concern.

Supabase: We use Supabase for authentication and database services. Supabase provides SOC 2 Type II compliant infrastructure with built-in security features.

Minimal Attack Surface: StateSpine's local-first architecture means fewer server-side components that could be compromised.

Regular Updates: We keep all dependencies updated and monitor for security advisories.

Access Controls: Production systems use principle of least privilege. Access is logged and audited.

AI Security

StateSpine uses AI to help you build better software. Here's how we keep AI interactions secure.

Local AI

Basic AI features run entirely on your machine using local models. No data is sent anywhere.

BYOK — Bring Your Own Keys

For advanced AI features, you bring your own API keys. We don't run AI servers or proxy your requests. When you use cloud AI:

  • • Your keys connect directly to your chosen provider
  • • Only the context needed for your query is sent
  • • Data is transmitted encrypted end-to-end
  • • We never see your API keys or AI conversations
  • • You control the provider, costs, and data flow

No Training on Your Code

We do not and will not use your code to train AI models. Your code is yours. Period.

Responsible Disclosure

We take security seriously and appreciate the work of security researchers. If you discover a vulnerability:

How to Report

  1. 1. Email us at security@statespine.com
  2. 2. Include detailed steps to reproduce the issue
  3. 3. Give us reasonable time to respond and fix (typically 90 days)
  4. 4. Don't disclose publicly until we've addressed the issue

Our commitment: We won't take legal action against researchers who follow responsible disclosure practices. We appreciate your help keeping StateSpine secure.

Questions?

If you have questions about our security practices, we're happy to discuss.

Contact Security Team