Hardened by design. Yours, by default.
Cuitty's security posture is the same whether you self-host or run in the Cloud. The only thing that changes is who owns the keys.
BetterAuth at the front door
Sessions, API keys, and OAuth all flow through one well-understood library. Self-host the user table on your own Postgres.
SpiceDB / Zanzibar for permissions
Every read and every write is a permissions check against SpiceDB. The schema lives in your repo; the relations live in your tenant.
HMAC-SHA256 on every event
Every payload is signed with a per-project webhook secret. Verified at the edge before the event is persisted.
Tamper-evident audit chain
Every admin action — and every event — is hashed into a chain. Cloud customers get weekly transparency log notarization. Self-hosted customers get the script.
Findings, never material
The secrets module ingests detector findings, not secret values. Backed by 1Password CLI for retrieval; the dashboard never sees plaintext.
TLS everywhere
TLS 1.2+ enforced on every endpoint. Cloud certs from Let's Encrypt; self-hosted certs are bring-your-own.
Compliance posture
| SOC2 | In progress (Cloud) |
| GDPR | DPA available (Cloud) |
| Data residency | US, EU, AP (Cloud) · 100% (Self-hosted) |
| BYOK | Enterprise tier |
| Air-gap | Self-hosted offline tarball |
Need a vendor questionnaire? Email security@cuitty.com.
Found something? Email security@cuitty.com with a clear repro. We acknowledge inside 48 business hours and credit researchers in the changelog unless asked not to.