Security
How Stoney handles your data.
What We Collect
| Collected | Not Collected |
|---|---|
| HTTP method | Request bodies |
| Path pattern | Response bodies |
| Status code | Header values |
| Duration | Query params |
Encryption
In transit: TLS 1.3
At rest: AES-256-GCM for secrets, SHA-256 for tokens
Secrets
Secrets in Settings → Secrets are:
- Encrypted before storage
- Never returned to browser
- Decrypted only at runtime
Compliance
- SOC 2 Type II compliant
- GDPR: EU data residency available
- Data retention: 90 days (configurable)
Whitelisting
If your API requires IP whitelisting, see stoneydev.com/ips
For private networks, use self-hosted runners.
Reporting Vulnerabilities
Email: security@stoneydev.com
Last updated on