Security Overview

How Jettson.dev protects user data and the security controls currently in place — including what we have not yet certified.

Last updated: May 15, 2026 · Version 1.0

Security is a product feature. This page is an honest description of the controls in place today, the controls we are working toward, and how to report a vulnerability.

1. Encryption

  • In transit. All traffic to jettson.dev and our APIs is served over HTTPS with TLS 1.2 or higher. HSTS is enabled at the apex domain.
  • At rest. Data stored in Google Firestore and Stripe is encrypted at rest by those providers. Agent workspaces on Fly.io are encrypted at the disk layer by Fly.

2. Authentication

  • Web sign-in via Firebase Authentication (email/password or Google OAuth). Passwords are never visible to us — Firebase stores a secure hash.
  • API authentication uses bearer tokens (jett_sk_live_…). Tokens are stored as a SHA-256 hash; the plaintext is shown to the user exactly once at creation.
  • Two-factor authentication is supported via Google when you sign in with Google. Native 2FA on email/password is on the roadmap.

3. Isolation

  • Each agent run is provisioned its own Linux container with its own filesystem (/workspace), its own memory address space, and its own network namespace.
  • Agent containers cannot reach the Jettson API server directly, other agents' containers, or each other.
  • HMAC-signed callback tokens are scoped to a single agent_id so a leaked token only affects that one agent.

4. Access controls

  • Internal access to production systems is granted least-privilege and audited.
  • Production secrets live in the Vercel and Fly secret stores; they are never in source control.
  • The number of people with production access is currently very small (single-founder operations); we will publish a more detailed access model when the team grows.

5. Sub-processors

We rely on a small set of sub-processors. The full list is at /sub-processors, with links to each one's security and privacy posture.

6. Logging and monitoring

  • API requests, agent lifecycle events, and admin actions are logged.
  • Security-relevant logs are retained for up to 24 months.
  • We do not store agent stdin/stdout content in logs by default; we store metadata (size, latency, status).

7. Incident response

If we discover a confirmed security incident affecting your data, we will notify affected Accounts within 72 hours by email to the Account email. Notifications will include: a description of what happened, the data categories affected, our response, and recommended actions.

You can subscribe to a future incident notification feed; today, status is communicated by email and via posted updates on the site.

8. Vulnerability disclosure

We welcome reports from security researchers. Email customertek@rwxtek.com with subject "Vulnerability report" and include: reproduction steps, the impact, and your contact for follow-up.

Safe harbor. We will not pursue legal action against good-faith security research that: (a) does not access, modify, or destroy other users' data; (b) does not degrade the Service for other users; (c) gives us reasonable time to fix the issue before public disclosure; and (d) complies with all applicable laws. If in doubt, contact us first.

We do not currently run a paid bounty program but we recognize impactful disclosures publicly with the researcher's permission.

9. What we do not yet have

We believe in being honest about gaps. As of the Last updated date above, Jettson does not have:

  • SOC 2 Type I or Type II report
  • ISO 27001 certification
  • HIPAA Business Associate Agreement availability
  • Third-party penetration testing report
  • A formal bug bounty program with payouts

These are on the roadmap. Customers with compliance requirements that depend on any of the above should contact customertek@rwxtek.com to discuss timing.

10. Customer responsibilities

Security is shared. You are responsible for:

  • Keeping your API keys and passwords confidential. Rotate keys quarterly.
  • Using a strong, unique password and enabling Google sign-in or another MFA option where supported.
  • Reviewing agent tasks before running them, especially tasks that touch third-party systems with side effects.
  • Not putting secrets, credentials, or regulated data in agent prompts, memory, or workspaces unless you accept the Acceptable Use Policy restrictions.

11. Contact

Security: customertek@rwxtek.com.