Security is foundational to Kepler. We build with security-first principles, protecting your code, data, and access to our systems. This page explains our security practices.
Encryption
Data in Transit
All connections to Kepler require TLS 1.3. We enforce HTTPS everywhere and reject non-SSL connections.
Data at Rest
Sensitive data including API keys, OAuth tokens, and personal information is encrypted at rest using AES-256. Encryption keys are stored separately from data.
Authentication
We use industry-standard authentication:
- Email + Password: Bcrypt-hashed passwords with salt
- OAuth: GitHub, GitLab, and other OAuth providers for repository access
- Magic Links: Passwordless email login for quick access
- 2FA: Organization-level 2FA requirements available
Session tokens are short-lived with secure httpOnly cookies.
Code Handling
No Permanent Storage
We process your code to execute your tasks, then return results. Code in active processing is held only in memory and deleted upon task completion.
Processing Isolation
Each task runs in an isolated environment. Tasks cannot access data from other users or organizations.
Token Handling
Repository tokens (OAuth, SSH keys) are encrypted and stored separately. They are used only for the specific operations you authorize and are never logged or exposed.
Infrastructure
- Cloudflare: DDoS protection, WAF, and CDN at the edge
- Tunnel Access: Admin interfaces accessible only through authenticated Cloudflare Tunnel
- WARP Only: Production admin access requires Cloudflare WARP client
- Network Isolation: Internal services are not exposed to the public internet
Compliance
We are committed to security best practices:
- SOC 2: Working toward SOC 2 Type II certification
- Penetration Testing: Regular third-party security assessments
- Incident Response: Documented incident response procedures
- Access Logging: Comprehensive audit logs for all user and admin access
Compliance Roadmap
Our ongoing compliance journey:
Q2 2026 — In Progress
SOC 2 Type I documentation and gap assessment
Q3 2026 — Planned
SOC 2 Type I certification audit
Q4 2026 — Planned
SOC 2 Type II design and operating effectiveness
2027 — Roadmap
ISO 27001, GDPR compliance review, HIPAA readiness
Sub-Processors
We work with trusted service providers who meet our security standards:
- Cloud Infrastructure: Cloudflare — edge network, DDoS protection, WAF
- Compute: Isolated container execution environments
- Database: Neon — managed PostgreSQL with encryption
- Authentication: Auth.js — secure session management
- Email: Resend — transactional email delivery
- Analytics: Plausible — privacy-first analytics
We will notify users of any changes to sub-processors via email.
Vulnerability Disclosure
We welcome security research. If you find a vulnerability, please report it responsibly:
- Email:
- Include detailed reproduction steps
- Do not disclose publicly until we have fixed the issue
- We acknowledge reports within 48 hours and aim to fix critical issues within 7 days
Contact
For security concerns or questions: