Security
This page describes the security posture of the YoFix platform. For the full security overview, including subprocessor list and DPA, contact [email protected].
Isolation
Domain isolation
Preview traffic and dashboard / API traffic live on different top-level domains:
*.yofix.dev: previews only. No cookie scope to the dashboard.*.yofix.ai: dashboard, API, and marketing site.
This isolation means a malicious preview deployment cannot read or write your dashboard session even if both happen to live in the same browser profile.
Tenant isolation
Every database query is scoped by organizationId. We do not use
schema-level multitenancy; we use row-level isolation with mandatory
filters on every query. Reviewer-only access cannot read other
organizations’ data even via crafted API requests.
Worker isolation
Build workers run each job in a fresh per-job working directory with
resource caps applied via systemd. Workers run as a non-root yofix
user and have no access to other tenants’ artifacts.
Secrets
- Environment variables are encrypted at rest with per-tenant keys.
- GitHub App private key is stored encrypted and used only by the API for signing JWTs to GitHub.
- Database credentials never leave the host they’re used on.
- Worker R2 credentials are scoped to the artifact bucket only, not to billing or account-level APIs.
We never log secret values. Build logs are scrubbed for known secret patterns before being persisted.
RBAC
The role hierarchy is owner > admin > developer > viewer. Every API
endpoint enforces the minimum role required. Role assignment is
audited.
| Role | Can do |
|---|---|
owner | Everything, including billing and deleting the workspace |
admin | Manage members, projects, integrations |
developer | Create projects, push previews, promote, rollback |
viewer | Read-only access to dashboards and previews |
Audit logs
Every state-changing action is logged with:
- The actor (user or system).
- The IP address.
- The timestamp.
- The before/after diff of what changed.
Audit logs are immutable from the dashboard UI. Enterprise customers can SIEM-export the audit stream via webhook.
How we handle your code
- We clone your repository to a per-job working directory on a build worker for the duration of the build.
- After the build completes, the working directory is removed.
- We retain build artifacts (the compiled output) according to your configured retention window (default 30 days).
- We retain build logs for the same window.
- We do not retain source code beyond the active build.
- We do not use your code to train any model. The only AI calls are for AST-derived route impact analysis, which sends function-level hashes and import names, never raw source.
Webhook verification
Every inbound GitHub webhook is verified against the App’s secret. We reject any webhook that fails signature verification. This is non-negotiable; there is no “skip verification” path.
Reporting a vulnerability
Email [email protected]. We respond within 1 business day. We acknowledge responsibly-disclosed vulnerabilities in our security page.