Security & data handling

Aegis exists to make your app safer — so we hold ourselves to the same standard. Here is exactly how we treat your project and your data.

Safe scanning

Aegis runs read-only checks by default. Any write probes happen inside transactions that are immediately rolled back, and Aegis never runs destructive operations against your project.

Least privilege

We use your anon key by default. You can optionally provide a service-role key or a read-only Postgres role for deeper checks. Both are encrypted at rest in Supabase Vault.

We never expose secrets

If a scan surfaces a secret, we redact it to its first and last four characters (first4…last4) before it is ever stored or shown. Decrypted credentials never reach the browser.

Authorization required

You confirm that you own or are authorized to scan a project before it is connected, and we require that authorization before each scan runs. Scanning systems without permission is prohibited.

Data minimization

We record only structural information — counts and object names like tables and columns. We never store, sample, or transmit your users' data.

Deletion on request

Delete a project or your account at any time and we remove the associated data, including any encrypted secrets held in Supabase Vault.

Responsible disclosure

Found a security issue in Aegis itself? We want to hear from you. Please report it privately to security@arctyne.com and give us a reasonable window to investigate and fix before any public disclosure.