Security we can stand behind.
No badges we haven't earned.
Your startup ideas and generated codebases are your most valuable assets. Here's how we handle them today, and what's on our roadmap as we grow.
No wall of badges. One track, and every control sits where it actually is today.
Read top to bottom and you read the truth: what is in place today, what we action on request, and what is still on the roadmap. The distance between them is the point. We do not paint it over.
- 01In place today
Encryption in transit
Traffic to the platform runs over HTTPS end to end. Data lives on a single server whose volume is not separately encrypted at rest, so we don't claim that; access to production is limited to the operator and logged.
- 02
GDPR and CCPA rights
two states, told apartYou stay in control of your data. This one isn't a single status, so we won't flatten it into one.
ExportIn place todayExporting your reports is self-serve. No ticket, no wait.
DeletionOn requestTo delete your account and associated data, email privacy@skeptral.com and we action it within 30 days.
- 03On the roadmap
Formal certifications
We don't yet hold SOC 2 or ISO 27001, and we won't claim badges we haven't earned. Pursuing a formal audit is on our roadmap as the team scales.
SOC 2 ISO 27001shown as not yet earned
The badges we don't have are listed here too. Next, exactly what leaves the platform.
How we work with model providers. Two things cross the line; everything else stays here.
Skeptral sends prompts to a small set of frontier model providers, currently Anthropic (Claude) and Google (Gemini), with an optional independent third judge. In production those calls travel through OpenRouter, the routing layer that relays them, so it receives every prompt in order to pass it on. We name every party that receives a prompt, and we send only what is needed to run your request.
the request payload, in full
promptYour prompt for the current run
the one thing the model is being asked to act on
settingsThe model and generation settings
which model to call, and how to call it
stays on the platform, never in a payload
credentialsYour password or billing details
credentials and payment data never reach a model
other_usersOther users' data
no one run can see another account
The providers state that API inputs are not used to train their models. We rely on those terms rather than our own audit, and we will keep this page updated as our agreements and controls evolve.