Security posture

Encryption — in transit and at rest

All traffic to skycanvass.com is served over modern TLS (1.2 minimum, with TLS 1.3 negotiated for capable clients) with HSTS preload (max-age two years, includeSubDomains, preload) so browsers refuse to downgrade to HTTP. The HSTS header is declared at the edge in our Caddyfile and applies to every public surface.

Postgres data at rest is encrypted via the underlying disk volume on our hosting provider (Hetzner Cloud, EU and US regions). Object storage (Cloudflare R2) holds storm reports, photo packets, and code packets; R2 encrypts objects at rest by default with provider-managed keys.

For point-in-time recovery, wal-g streams WAL segments to Cloudflare R2 as they fill and writes periodic base backups (currently weekly). Backups land in R2 with R2 server-side encryption applied at rest. Retention keeps the most recent four full base backups (roughly a 28-day recovery window).

Secret management

Production secrets are encrypted with sops + age (age-encryption.org). The encrypted bundle lives in the repository; the matching age private key lives only on the production host at a root-owned, mode-0600 path. Engineers do not handle plaintext production secrets locally.

Local development secrets are stored in the macOS Keychain and fetched at runtime — never written into source, .env files committed to git, or container env files. Pre-commit scanners (gitleaks, trufflehog) reject accidental secret commits.

No credentials are passed on process command lines (where they would leak to ps and other unprivileged readers). The same rule extends to MCP wrappers and CI scripts.

Authentication and access control

Each customer account is scoped to a team. Multi-tenant data tables carry a team_id column with an indexed foreign key, and every server function resolves the active team from the session before touching team-owned data. There is no cross-team read path in normal queries.

Engineering access is via key-based SSH only — no shared accounts, no password logins, no public ingress on management ports. Access to production database shells goes through a private Tailscale-administered network; the host firewall blocks public ingress on SSH.

Roles inside the customer workspace currently include owner, manager, and member. Multi-factor authentication and SSO (SAML/OIDC) are on the roadmap and will land before the first paid enterprise customer; today, email-based password authentication with rate-limited login attempts is the default.

Session cookies are HttpOnly, Secure, and SameSite=Lax. Sessions rotate on privilege change and expire on idle.

Data isolation and tenancy

The primary tenancy boundary is the team_id column on customer-data tables (leads, customers, proposals, activities, tasks, renewals, projects). Repository functions in our Rust data layer take a team_id parameter and filter on it, with the Leptos front end barred from writing raw SQL by a zero-tolerance pre-commit guard.

R2 object keys are namespaced by team and resource, so storm reports, photos, and code packets generated by one team are not reachable under another team's prefix. Signed URLs are scoped to a single object and expire on a short window.

Row-level security in Postgres (RLS) is on the hardening roadmap as a defense-in-depth layer on top of the existing application-level team filter.

Audit and observability

Mutations inside the customer workspace (lead status change, proposal acceptance, task completion, renewal outcomes, customer conversion) write an activity row that records the actor, the timestamp, and the resource touched. Activity rows are append-only from the application side and are visible to team members on the activity feed.

Webhook deliveries from third-party providers (for example, transactional email) are logged with a unique event ID before processing so we can replay or trace any individual message end-to-end.

Error tracking is via Sentry (self-managed project, no PII in event payloads — events carry stack traces, route names, and release SHAs, not customer rows). Product analytics via PostHog (us.i.posthog.com) is consented and excludes raw payloads from customer documents.

Server-side observability — Prometheus metrics, Loki logs, Sentry events, R2 access logs — is queried through APIs by our operators rather than displayed on dashboards. There is no public observability surface.

Compliance roadmap

SkyCanvass is in pre-launch as of 2026-05-21. We are not yet SOC 2 certified. SOC 2 Type I (controls design opinion) is on the roadmap; engagement with a third-party assessor will follow first revenue. SOC 2 Type II (operating-effectiveness opinion over a sustained window) is the eventual enterprise gate. We do not represent either as in place today.

For privacy regimes, we align with GDPR and CCPA: data-subject access requests, deletion requests, and portability exports are supported via the account surface and via support@skycanvass.com. See the Privacy Policy for the full handling commitments.

For Florida market work, SkyCanvass surfaces property data and event history. The product is not a coverage determination, not a recovery or payout service, and not assignment-of-benefits activity. A repository-level scanner enforces this language posture in every customer-facing artifact, so the boundary stays consistent across the product, the marketing site, and generated reports.

HIPAA is not in scope — restoration work does not handle protected health information.

Subprocessors

Production data passes through a small list of vetted infrastructure providers. The current set is: Cloudflare (R2 object storage for reports, photos, and code packets), Hetzner Cloud (compute and primary database hosting), Sentry (error event ingestion), PostHog Cloud (product analytics), and Resend (transactional email delivery for verification, password reset, and account notifications).

Payment processing via Stripe will be activated when we begin charging. Until then, no payment-card data is collected, stored, or transmitted.

We do not contract with managed-agent vendors that retain customer prompts, documents, or content for model training. All AI inference used by SkyCanvass runs through providers whose terms prohibit training on customer input.

Data retention

Customer data is retained while the account is active. After cancellation, data is purged from the primary store within 30 days. Anonymized aggregates (counts, geographic distribution) may be retained for product analytics.

Database physical backups are retained for the most recent four full base backups (roughly a 28-day point-in-time recovery window). WAL segments age out under the same retention policy.

Sentry events default to 90-day retention. PostHog events default to 365-day retention; both windows are configurable per account on enterprise plans.

Caddy access logs and Loki application logs are retained for 30 days for incident response, then rotated.

Incident response and disclosure

For breach notification where legally required, we commit to notifying affected account contacts within 24 hours of confirming material impact. The exact disclosure regime applied depends on jurisdiction (GDPR, CCPA, US state breach laws).

For security researchers: report findings to security@skycanvass.com (or estimates@onyxclaims.com if the alias is unreachable). Coordinated disclosure is preferred — give us reasonable time to issue a fix before publication. Acknowledgment within one business day; scope and remediation timeline within five business days.

A formal bug bounty program is not active yet. We credit good-faith researchers publicly with their consent and commit to no legal action against good-faith research.

Vulnerability scope, in-scope categories, and the historical disclosure list live in the SECURITY.md at the root of our public repository.

Security questionnaires and reports

For enterprise procurement: send the questionnaire (CAIQ, SIG, custom) to security@skycanvass.com. Once a paid plan is in place, we share our control mapping, the in-progress SOC 2 evidence we have so far, and the subprocessor list with DPAs.

Penetration test reports, when produced, will be available under NDA to active paid customers.