Security

Built for teams
that ask hard questions.

Security teams should ask hard questions before adopting new tooling. Here are our honest answers — what we do, what we don't, and where the boundaries are.

Compliance roadmapRequest the trust pack →
SOC 2 Type II
In progress

Evidence collection underway via Vanta. Type II observation window closes Q3 2026; audit report expected late Q4 2026. Letter of engagement available on request.

GDPR
Aligned

Aligned to GDPR principles: lawful basis, data minimisation, right to access (export from /dashboard/settings → Account), right to erasure (delete account in same place). DPA available on request.

HIPAA / PCI-DSS
Available

Stoney does not process PHI or cardholder data on customer behalf. We verify the rules your team writes for HIPAA/PCI compliance; we are not a covered entity ourselves.

🔒
Your code never leaves your infrastructure

Stoney is a binary that runs inside your own CI runners. It makes HTTP requests against your staging environment and checks the responses. No source code, no secrets, and no HTTP payloads are ever transmitted to Stoney's servers.

🪙
Tokens are never stored in plaintext

When you generate an API token, we display it exactly once. What we store is the SHA-256 hash — never the token itself. There is no recovery path; if you lose it, you revoke it and generate a new one.

📋
Minimal Jira and Slack scopes

The Jira integration requests read:jira-work, write:jira-work, and read:jira-user. Slack requests only the ability to post to a chosen channel. We never request admin or workspace management permissions.

🧱
Role-based access within your org

Every action is gated by role. Owners manage billing and org settings. Admins invite members and manage tokens. Members can view runs. There are no escalation paths between roles.

📝
Append-only audit log

Every security-relevant action — token creation, revocation, member changes, plan changes — is written to an append-only audit log. You can see who did what and when. (Audit log available on Pro plan.)

🌐
No third-party trackers or ad networks

We use Vercel Analytics for anonymized, aggregate performance metrics only. No Google Analytics, no Facebook Pixel, no ad networks. Your usage data is not sold or shared with any third party.

Implementation
Token storageSHA-256 hash only — raw value shown once, never persisted
TransportTLS 1.3 enforced · HTTP → HTTPS permanent redirect
AuthOAuth 2.0 (Google, GitHub) + magic-link via NextAuth
Data at restAES-256 encryption via managed Postgres (Crunchy Bridge)
Code accessNone — contracts run in your CI runners, not our servers
Secret isolationEnv vars and CI secrets never leave your environment
Access controlRole-based (owner / admin / member) with least privilege
Dependency auditAutomated via Dependabot + GitHub Advisory Database
Error trackingSelf-hosted in our own Postgres — no third-party telemetry vendor
BackupsEncrypted daily database backups, 7-day retention
Responsible disclosure

Found a vulnerability? Please email us before public disclosure so we can address it responsibly.

We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days.

security@stoneydev.com
Data handling
Data typeStorageRetentionEncryption
Account data (name, email, org)Crunchy Bridge PostgresUntil account deletionAES-256 at rest · TLS 1.3 in transit
OAuth integration tokensCrunchy Bridge Postgres (encrypted column)Until integration disconnectedApplication-layer envelope encryption + AES-256 at rest
Source code (GitHub)Not persistedIn-flight only — discarded after analysisTLS 1.3 in transit
Run results + drift eventsCrunchy Bridge Postgres90 days (Pro+: extended per plan)AES-256 at rest
Audit logsCrunchy Bridge Postgres365 days (append-only)AES-256 at rest
Email content (transactional)Resend (sender) · not retained by StoneyResend retention policy applies (≤30 days)TLS 1.3 in transit
SubprocessorsSubscribe to change notices →
VendorPurposeData sharedRegion
VercelApp hosting + edge networkRequest metadata, IP for rate-limitingUS (Global edge)
Crunchy BridgeManaged PostgresAll persistent application dataUS-East
ResendTransactional emailRecipient email, message bodyUS
Anthropic (Claude)Rule synthesis + PR analysisCode diffs + ticket text (not retained for training)US
Voyage AITicket embeddingsTicket title + summary textUS
Lemon SqueezyBilling + subscriptionEmail, plan, payment status (no card data)US
GitHubSource repository reads (your install)Code is read in-flight, not persistedUS
For your security team

Procurement reviewing Stoney for adoption? Email security@stoneydev.com and we'll send the trust pack — typically within one business day.

Data Processing Agreement (DPA)
Standard Contractual Clauses (SCCs)
Pen-test summary (latest available)
Vanta evidence excerpt + audit timeline
Architecture diagram + data-flow
Completed CAIQ-Lite questionnaire

GDPR rights — Customers can self-serve data export and account deletion from Settings → Account. For erasure of data after account deletion (e.g. backup retention), email the address above.

Vulnerability disclosure → security@stoneydev.comLast updated: April 26, 2026