Security

• Passwords are hashed with bcrypt; we never store them in plain text.
• Sessions use signed JWTs. CLI access uses device-authorization login (RFC 8628) — there's no long-lived key to copy or leak, and device tokens are stored only as hashes.
• Optional GitHub OAuth for sign-in.

Every request is scoped to your organization and authorized at the service layer. Data is partitioned by organization, and access checks are enforced on read and write paths.

Data is encrypted in transit (TLS). Backups and data at rest are protected by our managed infrastructure provider's encryption.

• Strict input validation across API endpoints.
• Webhook payloads verified with HMAC signatures (fail-closed).
• Team learnings pass a prompt-injection / secret scanner before they can be applied to agents.
• Required secrets are validated at startup; the service refuses to boot in production with default or missing secrets.

Sensitive actions — plan changes, membership changes, and learning approvals/reverts — are recorded in an immutable audit log visible to org admins.

We are an early-stage product. We do not yet hold SOC 2 or ISO 27001 certification; formal compliance is on our roadmap. We're glad to complete security questionnaires and discuss your requirements.

Found a security issue? Please email admin@nepselabs.com with details. We'll acknowledge and work with you on a fix.