🛡 Security & Trust

We Take Security Seriously

Skyhigh Cybersecurity is built by security practitioners, for security practitioners. Here is an unvarnished look at how we protect your data, your clients, and your exercises.

Last updated: March 2026  ·  Questions? security@skyhighcybersecurity.com

🔒
Encryption AES-256-GCM
Infrastructure Vercel + Supabase SOC 2
💳
Payments Stripe PCI DSS Level 1
🏆
Platform SOC 2 Type II In Progress
📊
Headers CSP + HSTS Enforced
👤
Access Control Row-Level Security (RLS)
Data Protection

Encryption & Data Security

All sensitive data is encrypted in transit and at rest using industry-standard cryptographic algorithms.

🔒
Credential Encryption Implemented
All third-party credentials stored by the platform (Jira, ServiceNow, Twilio, LRS endpoints, OIDC client secrets) are encrypted using AES-256-GCM with unique IVs before being persisted to the database. Raw credentials are never stored in plaintext.
🔗
Transport Security Implemented
All traffic is served exclusively over HTTPS/TLS 1.3. HSTS (HTTP Strict Transport Security) headers are enforced on all responses, preventing downgrade attacks and ensuring browsers never connect over plain HTTP.
💾
Data at Rest Implemented
All database storage is provided by Supabase (PostgreSQL), which encrypts data at rest using AES-256. Backups are encrypted. No customer exercise data, session history, or credentials are stored in browser localStorage beyond session tokens.
📊
Subresource Integrity (SRI) Implemented
All third-party scripts loaded from CDNs (jsPDF, Chart.js, JSZip) include SRI integrity hashes. The browser verifies the cryptographic hash before executing any external script, preventing supply chain injection attacks.
🌐
API Key Security Implemented
Platform API keys are stored as SHA-256 hashes — we never store the raw key. Only the key prefix is stored for display. API keys are single-use display on creation; if lost, they must be regenerated.
📋
Offline Pack Encryption Implemented
Exported offline exercise packs are encrypted with AES-256-GCM before download. The decryption key is tied to the user's authenticated session. Packs cannot be opened by unauthorized parties even if intercepted.
Application Security

Security Controls & Hardening

Defense-in-depth controls applied across every layer of the application stack.

Control Implementation Status
Content Security Policy (CSP) Strict CSP headers applied to all responses, restricting script/style/connect sources to known allowlisted origins. Live
XSS Sanitization All user-supplied content is HTML-escaped before DOM insertion. escHtml() and sanitizeUrl() helpers enforced across all user-facing rendering paths. Live
CORS Allowlist All Edge Functions enforce an explicit CORS allowlist. Requests from origins not in the allowlist receive a blocked CORS response regardless of JWT validity. Live
Rate Limiting AI functions enforce per-user call limits (coach: 10/session, AI analysis: 5/hr). Webhook delivery is throttled. Prevents abuse and runaway API costs. Live
Stripe Cross-Verification Webhook events are cryptographically verified using Stripe's HMAC signature before any tier upgrade or downgrade is processed. Live
Idle Session Timeout Authenticated sessions automatically expire after a configurable inactivity period. Back-button bfcache exploit mitigated via page visibility event listener. Live
Row-Level Security (RLS) Every Supabase table enforces PostgreSQL RLS policies. Users can only read/write their own records. Cross-tenant data access is prevented at the database level. Live
DNS TXT Domain Verification SSO domain registration requires DNS TXT proof-of-ownership verified via Cloudflare DoH before any SAML/OIDC provider is activated. Prevents domain spoofing. Live
noindex on Sensitive Pages Platform pages (portal, exercise runner, admin tools) carry noindex meta tags to prevent search engine indexing of authenticated-only surfaces. Live
Penetration Testing Annual third-party penetration test against web application and API surface. First test scheduled Q2 2026. Results summary will be published on this page. Q2 2026
Bug Bounty Program Formal bug bounty program with defined scope and reward tiers. Launch planned alongside SOC 2 Type II completion. Planned
Infrastructure

Infrastructure Security Partners

Skyhigh's infrastructure stack is built entirely on SOC 2 and PCI DSS certified providers. We inherit their security controls and undergo their audit programs.

Vercel
SOC 2 Type II Certified
Frontend hosting, CDN, edge network. All traffic is TLS-terminated at the edge with automatic certificate renewal.
🐘
Supabase
SOC 2 Type II Certified
PostgreSQL database, authentication, Edge Functions runtime, and Realtime engine. Data encrypted at rest and in transit.
💳
Stripe
PCI DSS Level 1 Certified
Payment processing. Skyhigh never handles or stores raw card numbers. All payment data is tokenized by Stripe.
🤖
Anthropic
SOC 2 Type II Certified
AI processing for AAR summaries, coaching, and scenario generation. No customer PII is sent to AI inference endpoints — only anonymized exercise content.
💌
Resend
SOC 2 Type II Certified
Transactional email (invitations, reminders). Email addresses are used solely for delivery — never shared with or sold to third parties.
🌐
Cloudflare
SOC 2 Type II Certified
DNS resolution used for SSO domain ownership verification (DoH endpoint). No user traffic is proxied through Cloudflare.
Identity & Access

Authentication & Access Control

Every access path to customer data is gated by authenticated, role-scoped controls.

🔑
JWT AuthenticationLive
All API calls to Edge Functions require a valid Supabase JWT. Tokens are short-lived and automatically refreshed. Expired or tampered tokens are rejected at the Edge Function level before any database access occurs.
🏢
Enterprise SSO (SAML 2.0 / OIDC)Live
Team and Enterprise customers can enforce SSO via SAML 2.0 or OIDC. Domain registration requires DNS TXT proof-of-ownership. OIDC client secrets are encrypted at rest with AES-256-GCM.
👥
Tier-Scoped Access GatesLive
Feature access is enforced server-side in every Edge Function — not just client-side. A Free-tier user cannot access Pro features by manipulating client state; the server independently verifies the JWT tier claim on every request.
👤
Multi-Factor AuthenticationVia Supabase
Supabase Auth supports TOTP-based MFA. Platform-level MFA enforcement for Team/Enterprise accounts is on the near-term roadmap. Enterprise customers can enforce MFA via their SSO Identity Provider today.
Compliance & Certifications

SOC 2 Type II Roadmap

We are committed to achieving SOC 2 Type II certification and will publish the report summary when complete.

🏆

SOC 2 Type II — In Progress

We are currently engaged with a compliance automation platform to implement the required controls for SOC 2 Type II certification. The audit covers Security, Availability, and Confidentiality trust service criteria. Target completion: Q3–Q4 2026.

During the period before certification is complete, we are happy to provide a security questionnaire response and discuss our controls posture directly. Contact security@skyhighcybersecurity.com.

📝
Security (CC)In Progress
Common Criteria covering logical access, change management, risk assessment, incident response, and monitoring. Core controls already implemented.
Availability (A)In Progress
System performance monitoring, uptime SLA commitments for Enterprise tier, and incident notification procedures. Vercel and Supabase provide 99.9%+ infrastructure uptime.
👁
Confidentiality (C)In Progress
Data classification, access controls, and encryption controls covering confidential customer exercise data, credentials, and MSSP client information.
Privacy

Data Privacy & Retention

We collect only what is necessary to operate the platform. We do not sell, broker, or share customer data with third parties for advertising purposes.

🏭
What We Collect
  • Account email address and display name
  • Exercise session history and After Action Reports
  • Encrypted third-party integration credentials (if configured)
  • Billing information (managed entirely by Stripe — we never see card numbers)
  • Platform usage logs for security monitoring
🚫
What We Never Do
  • Sell or share your data with advertisers
  • Train AI models on your exercise content or responses
  • Store raw payment card numbers
  • Access your credentials (stored AES-256-GCM encrypted)
  • Share data across MSSP client organizations
📅
Retention & Deletion
Account data is retained for the duration of your subscription plus a 30-day grace period. Upon account deletion request, all personal data and exercise history are permanently deleted within 30 days. Contact privacy@skyhighcybersecurity.com to request deletion.
Vulnerability Disclosure

Responsible Disclosure Policy

We welcome responsible security research on our platform. If you discover a vulnerability, please report it to us privately before public disclosure.

🔍 How to Report a Vulnerability

Send a detailed report to security@skyhighcybersecurity.com with:

1. Description — A clear description of the vulnerability type (e.g., XSS, IDOR, SSRF, auth bypass)
2. Steps to reproduce — Detailed reproduction steps and any proof-of-concept
3. Impact — Your assessment of what data or functionality is at risk
4. Your contact — So we can keep you informed and credit you if desired

We will acknowledge receipt within 2 business days and aim to remediate critical findings within 14 days. We request that you do not publicly disclose findings until we have had the opportunity to remediate.

Safe Harbor: We will not pursue legal action against researchers who follow this policy and act in good faith. We consider this policy a legal authorization for security research within its defined scope.

Out of scope: Social engineering attacks against Skyhigh staff, denial-of-service testing, physical security testing, or attacks against customer accounts without their explicit written consent.

Contact

Security Contact

For security reports, questionnaires, or enterprise security reviews.

🛡 Talk to Our Security Team

Security vulnerabilities, compliance questionnaires, pen test report requests, or enterprise procurement security reviews — we respond within 2 business days.

For general inquiries: info@skyhighcybersecurity.com  ·  Privacy requests: privacy@skyhighcybersecurity.com