Skycot

1. Security Overview

At Skycot, the security and privacy of your data is fundamental to everything we build. We implement industry-standard security practices across our entire infrastructure to ensure your personal information, conversations, and integrations remain protected at all times.

This policy describes the technical and organisational measures we use to safeguard your data.

2. Infrastructure Security

Skycot is hosted on Amazon Web Services (AWS) in the Sydney region (ap-southeast-2). Our infrastructure includes:

Compute: AWS ECS Fargate (serverless containers) — no shared host access, each task runs in its own isolated environment.
Database: Amazon RDS PostgreSQL 16.6 with pgvector, deployed in a private VPC subnet with no public internet access.
Encryption at rest: All database storage is encrypted using AWS-managed encryption keys (AES-256).
Encryption in transit: All connections between services use TLS 1.2 or higher.
Network isolation: The database resides in a private VPC and is only accessible from our application containers via security group rules.
Container images: Stored in Amazon ECR (Elastic Container Registry) with image scanning enabled.

3. Authentication & Identity

We use multiple layers of authentication to protect your account:

Google OAuth 2.0: Primary authentication via Google sign-in. We never see or store your Google password.
JWT sessions: Authenticated sessions use signed JSON Web Tokens with expiration. Tokens are validated on every request.
Password hashing: Where password-based authentication is used, passwords are hashed using bcrypt with a secure cost factor. Plain-text passwords are never stored.
OAuth token storage: Google integration tokens are stored encrypted in our database and are never exposed to other users or third parties.

4. Data Protection

We employ defence-in-depth strategies to protect data at every layer:

HTTPS everywhere: All traffic to skycot.com is served over HTTPS with TLS 1.2+. HTTP requests are automatically redirected.
HSTS headers: HTTP Strict Transport Security is enforced, preventing downgrade attacks.
Content Security Policy: CSP headers restrict the sources of scripts, styles, and other resources to prevent cross-site scripting (XSS) attacks.
Parameterised SQL queries: All database queries use parameterised statements to prevent SQL injection. We do not use string concatenation for query construction.
Input validation: All user inputs are validated and sanitised on the server side before processing.
Secure cookies: Session cookies are set with Secure, HttpOnly, and SameSite attributes.

5. Access Controls

Your data is isolated and protected through strict access controls:

Row-Level Security (RLS): Enabled on all 26 database tables. Every query is scoped to the authenticated user — you can only access your own data.
Per-user data scoping: Conversations, memories, agent interactions, and integration data are all tied to your unique user ID.
No shared access: There is no mechanism for one user to access another user's data through the application.
Admin access: Administrative functions are restricted to authorised personnel and are logged.

6. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor:

Skycot does not store, process, or transmit credit card numbers, CVVs, or other card details.
All payment form fields are rendered by Stripe's secure, PCI-compliant embedded elements.
Subscription management and billing are handled entirely through Stripe's infrastructure.
Webhook payloads from Stripe are verified using signature validation to prevent tampering.

7. Third-Party AI Processing

When you interact with AI agents, your messages are processed by third-party AI providers:

Anthropic (Claude): Processes conversation messages. Anthropic does not retain your data beyond the API call for training purposes. See Anthropic's Privacy Policy.
OpenAI: Used for text embeddings (memory search) and image generation. See OpenAI's Privacy Policy.
Data sent to these providers is transmitted over encrypted connections and is used solely to generate responses for you.

8. Monitoring & Incident Response

We actively monitor our infrastructure for security threats and performance issues:

CloudWatch monitoring: Real-time metrics and alarms for CPU, memory, error rates, and response times.
Automated alerting: Critical alerts are sent via SMS and email to the engineering team.
Autoscaling: ECS services automatically scale between 1 and 4 tasks based on CPU utilisation to maintain availability.
Health checks: Application load balancer performs health checks every 30 seconds to detect and replace unhealthy instances.

In the event of a security incident, we will:

Investigate and contain the issue immediately.
Notify affected users within 72 hours of confirmed data breach, as required by applicable law.
Provide a clear description of what data was affected and what steps we are taking.
Implement remediation measures to prevent recurrence.

9. Vulnerability Reporting

We take security vulnerabilities seriously. If you discover a potential security issue, please report it responsibly:

Email security@skycot.com with a detailed description of the vulnerability.
Include steps to reproduce the issue, if possible.
Allow us reasonable time to investigate and address the issue before public disclosure.

We appreciate responsible disclosure and will acknowledge receipt of your report within 48 hours.

10. Compliance

Google API Services: Skycot complies with the Google API Services User Data Policy, including Limited Use requirements.
CASA Tier 2: Skycot is undergoing Cloud Application Security Assessment (CASA) Tier 2 certification for Google OAuth sensitive scopes.
PCI DSS: Payment processing is fully delegated to Stripe, a PCI DSS Level 1 service provider.

11. Contact

For security concerns or vulnerability reports, contact us at security@skycot.com.

For general privacy inquiries, contact privacy@skycot.com.

Skycot Pty Ltd. Melbourne, Australia. ABN pending.

My Team

Security Policy