Security & Compliance

Security by Design, Not by Afterthought

Cycl was built with enterprise security principles from day one. Encryption, access control, audit logging, and sandboxed execution are fundamental to the architecture — not bolted on later.

How We Protect Your Data

Every layer of Cycl is designed with security as a first-class concern.

Encryption at Rest

All sensitive data is encrypted before it touches the database.

  • AES-256-GCM authenticated encryption for all secrets
  • Node.js native crypto — no third-party dependencies
  • Keys decrypted only at point of use, never cached
  • Encryption key managed via environment variable

Role-Based Access Control

12-role RBAC with hierarchical scope inheritance across your entire organization.

  • System, Team, and Project scope levels
  • Roles: admin, permission manager, viewer, creator, planner, builder, reviewer, and more
  • Parent scope inherits to child — a team admin has access to all team projects
  • Privilege escalation prevention built in

Invitation-Only Access

No public signup. Every user must be explicitly invited with pre-assigned roles.

  • Email-based invitation with secure token links
  • Roles pre-configured before user joins
  • First-user bootstrap grants system admin automatically
  • Invitation revocation supported

Comprehensive Audit Trail

Append-only audit logging across every ceremony in the SDLC.

  • 20+ instrumented API routes tracked automatically
  • Who did what, when — across planning, building, review, and settings
  • Entity name snapshots survive deletions
  • Filterable by team, project, user, category, and date range

Row-Level Security

Every database query is enforced through PostgreSQL Row-Level Security policies.

  • Team isolation via Supabase RLS on every table
  • No direct database access — all queries go through the RLS-enforced client
  • Security-definer functions for permission checks
  • Append-only audit tables (no UPDATE or DELETE policies)

Sandboxed Code Execution

All AI-generated code runs in ephemeral cloud sandboxes, fully isolated from production.

  • E2B cloud VMs — spun up per build, destroyed after use
  • No access to production systems or data
  • Code pushed to GitHub branch only after validation
  • Build artifacts never touch your infrastructure directly

Automated Validation

Every build is validated against structured criteria before it can progress.

  • Automated lint, typecheck, and test validation
  • AI-verified done-when criteria per task
  • Regression detection across fix rounds
  • Validation results tracked with full token accounting

Session Security

Server-side session management with automatic refresh on every navigation.

  • httpOnly cookies — not accessible via JavaScript
  • Session refresh on every page navigation via middleware
  • bcrypt password hashing via Supabase Auth
  • API routes authenticate independently via session token

Secret Management

API keys, tokens, and credentials are never stored in plaintext.

  • Anthropic API keys encrypted before storage
  • GitHub PATs encrypted with AES-256-GCM
  • MCP server credentials encrypted at rest
  • Secrets never exposed in plaintext to the browser

Our Security Principles

Defense in Depth

Multiple layers of security — authentication, authorization, encryption, RLS, sandboxing — so no single point of failure compromises the system.

Least Privilege

Users get only the roles they need. Scope inheritance means access is granted at the narrowest level possible. Privilege escalation is prevented at every checkpoint.

Zero Trust for AI

AI-generated code never runs on production infrastructure. Every build executes in an ephemeral sandbox, validates against structured criteria, and produces a PR for human review.

Transparency

Every action is logged. Every requirement is traced to code. Every cost is tracked. Nothing happens in Cycl that you can't audit, trace, or review.