Security

Last updated: June 2026

Encryption

• At rest: AI provider API keys and connected-integration OAuth tokens are encrypted with AES-256-GCM (authenticated encryption) and are never displayed back to you.
• In transit: all traffic to the Service uses HTTPS/TLS.

Authentication & sessions

• Passwords are salted and hashed with scrypt — we never store them in plain text.
• Sessions store only a hash of the session token, so a database leak cannot be used to resume anyone's session.
• Auth endpoints are rate-limited to blunt credential-stuffing.

Tenant isolation & bring-your-own-key

• Each workspace's data, knowledge, keys, and connections are scoped to that workspace; owners can only access their own.
• SikloAI is bring-your-own-key: your AI usage runs on your own provider key, so it is isolated to your account and never shared across customers.

Connected integrations

• You connect third-party apps (Google, Slack, GitHub, Notion) via OAuth; we request the minimum scopes needed and store the resulting tokens encrypted.
• Tokens are used only to perform the actions you or your agent request. You can disconnect any integration at any time, which deletes its stored tokens.
• Our use of Google user data follows the Google API Services User Data Limited Use requirements.

Infrastructure

• The Service runs on managed cloud infrastructure with HTTPS, access controls, and per-tenant rate limiting.
• We follow the principle of least data: we collect only what is needed to run your account and the Service.

Responsible disclosure

If you believe you've found a security vulnerability, please email [email protected] with details. We appreciate good-faith reports and will work with you to investigate and fix issues. Please do not access other users' data or disrupt the Service while testing.

Contact

Security questions? Email [email protected].