skira.

Legal · v0

Security Overview

Effective date: June 14, 2026

Last updated: June 14, 2026

Where we are today

SKIRA is in pre-beta development. The public site at skira.app today includes a landing page that collects emails for the beta waitlist and a non-functional login page (deployed but disabled until the product launches). The application infrastructure (database, LLM connections, observability) is configured and connected, but no customer data is currently being processed. Error monitoring runs on every page to help us diagnose bugs.

This document covers what's true today and what we commit to when the product launches.

Our security philosophy

SKIRA is built for engineering managers who care about how their team's data is handled. The same considerations apply to how we operate.

A few principles that shape our architecture:

  • We process your tools' data; we don't surveil your people. SKIRA reads what your team produces: pull requests, tickets, decisions, calendar events. It surfaces patterns at the level of the team. It does not generate ratings, rankings, or assessments of individual engineers. This is structural in our architecture, not just a stated policy.
  • We use the minimum data necessary. When the product launches, we'll request the minimum API scopes from your connected tools. If a feature doesn't need a permission, we don't ask for it.
  • We're explicit about what we send to third parties. Our list of processors is public, and we update it when it changes. Nothing goes to anyone not on the list.
  • We don't train models on your data. Customer data is not used to train or fine-tune any language model, ours or anyone else's.

Where the site lives

  • Hosting, CDN, analytics: Vercel (production environment, US-based infrastructure)
  • DNS and email routing: Cloudflare
  • Bot protection on the beta form: Cloudflare Turnstile (privacy-respecting bot challenge; no behavioral fingerprinting)
  • Email service: Loops (handles the beta waitlist form submissions, including double-opt-in confirmation)
  • Error monitoring: Sentry (receives JavaScript error events from your browser when something breaks). Configured to scrub IP addresses before storage.
  • Database: Supabase (configured and connected, encrypted at rest, encrypted in transit). Not currently storing customer data, since the product is not yet live.

All connections to and from skira.app are encrypted in transit using TLS 1.2 or higher.

Where data will live when the product launches

The infrastructure above will expand to actively process customer data when the product launches:

  • Database: Supabase will store account data, integration tokens, and synthesized intelligence.
  • Secrets management: API tokens from your connected tools will be stored in encrypted secrets storage, never in plaintext.
  • LLM processing: Anthropic will process anonymized engineering data to generate narratives. Customer data is not retained for model training.
  • Observability: Langfuse will receive anonymized inference traces, configured to redact sensitive data.

What the product will protect against

When the product launches, the security commitments will include:

  • Encryption at rest for all customer data
  • Access controls so engineers other than the account owner can't access data they don't have permission to see
  • Data isolation between customer accounts (no cross-tenant data exposure)
  • Audit logs for access to customer data
  • Incident response procedures with disclosure commitments

These will be expanded and specified before the beta launches.

Third-party processors

The complete list of third parties that handle any data is in our Privacy Policy. Each is selected and configured to minimize data exposure:

  • Sentry (error monitoring): receives JavaScript error events. Configured to scrub IP addresses before storage.
  • Anthropic (LLM provider): SOC 2 Type II. Will process anonymized engineering data. Customer data not used for model training.
  • Supabase (database): SOC 2 Type II. Encrypted at rest, encrypted in transit.
  • Vercel (hosting, CDN, analytics): SOC 2 Type II.
  • Cloudflare (DNS, email routing): SOC 2 Type II.
  • Langfuse (LLM observability): Configured to redact sensitive data from inference traces.
  • Loops (email): Currently processes beta waitlist contacts.

Compliance work in progress

SKIRA is currently working toward, but has not yet completed:

  • SOC 2 Type II. Planned for after the product launches, gated on customer demand.
  • GDPR compliance. In progress, including EU and UK Article 27 representatives and a Data Processing Agreement template.
  • CASA (Google Workspace API compliance). Required when Gmail and Calendar integrations launch.

We'll publicly report on these as they're completed. We won't claim certifications we don't have.

Reporting a security issue

If you find a security issue in SKIRA, please report it to kyle@skira.app (we'll set up a dedicated security alias once the product launches). We commit to:

  • Acknowledging your report within 48 hours
  • Investigating and sharing our assessment within 14 days
  • Coordinating responsible disclosure

We don't currently offer a bug bounty program. We do recognize meaningful security contributions publicly, with your permission.

Contact

For security questions: kyle@skira.app (security@skira.app to follow at product launch)

SKIRA LLC, New York, USA