Security
We built Aclude with security at every layer. Your data, your keys, your code — all protected by design.
Encrypted API Keys
Your AI keys are encrypted at rest using AES-256. They are only decrypted in memory during active sessions and never logged or cached.
Isolated Previews
Each preview runs in its own Firecracker microVM, the same technology behind AWS Lambda. Full hardware-level tenant isolation.
SOC 2 Compliant
Enterprise-grade security practices. We are actively working toward SOC 2 Type II certification with controls already in place.
Code Ownership
You own 100% of your generated code. We never claim rights to your projects, and you can export everything at any time.
Security Practices
Encryption
All data transmitted to and from Aclude is encrypted in transit using TLS 1.3. Data at rest, including project files, user information, and database backups, is encrypted using AES-256. Backups are stored in geographically redundant locations with the same encryption standards.
API Key Handling
Your AI provider API keys are encrypted before storage and are never stored in plain text. Keys are decrypted only in memory during active sessions and are immediately discarded afterward. They are never logged, included in error reports, or accessible to Aclude staff. Each user's keys are fully isolated from other accounts.
Infrastructure Isolation
Every preview and deployment runs inside its own Firecracker microVM, providing hardware-level isolation between tenants. These lightweight virtual machines are ephemeral and destroyed after each session, ensuring your code and data are never commingled with other users. Network access between VMs is blocked at the hypervisor level.
Authentication and Access
Aclude uses Supabase Auth with support for email/password and Google OAuth. All sessions are managed with secure, HTTP-only tokens. Row-level security (RLS) policies ensure that users can only access their own data at the database level, providing defense in depth beyond application-level checks.
Monitoring and Incident Response
We continuously monitor our infrastructure for anomalies and security events. Audit logs track all sensitive operations. In the event of a security incident, we follow a documented response plan that includes containment, investigation, notification, and remediation. Affected users will be notified promptly.
Responsible Disclosure
If you discover a security vulnerability in Aclude, we ask that you report it responsibly. Please email us at security@aclude.dev with a description of the issue. Do not publicly disclose the vulnerability until we have had a chance to investigate and address it. We appreciate your help in keeping Aclude secure and will acknowledge valid reports.