Skip to content
Trust

Security

Appaloft handles deployment control, server connections, and team permissions. Security is part of the product design.

Last updated: June 25, 2026

This is a public draft for the early Appaloft Cloud website. It is not final legal advice or formal commercial terms, and should be reviewed by counsel before commercial launch.

Authentication and sessions

The console uses Better Auth for login and sessions. Production configuration must be proven with readback evidence for secure cookies, trusted origins, HTTPS, callback URLs, and cookie scope.

Credential handling

Deploy tokens, database URLs, SSH keys, and third-party secrets should be injected only as runtime secrets, never committed to repositories or public docs.

Deployment isolation

Appaloft records deploy paths, health checks, and rollback state. Runtime isolation for applications depends on the server and resource configuration you choose.

Audit and observability

Sensitive operations should leave auditable events, logs, and status for diagnostics, rollback, and security investigation.

Production readiness

Security headers, CSP, email feedback, WAF/risk controls, and external provider settings need deployed-environment readback evidence. This page is not a security certification, compliance certification, or penetration test report.

Reporting issues

If you find a vulnerability, contact [email protected] and give us reasonable time to respond before public disclosure.