Technical detail
Security.
The strongest security answer we can give is structural: your code and data run in your own cloud account, on your keys, and we never train on them. Baseline encryption (TLS in transit, AES-256 at rest) is in place day one via the cloud providers we deploy into. BYOK and customer-cloud deploy by default. This page goes deeper than /trust: how we handle security by area, our sub-processors, and vulnerability disclosure.
Read the founder-facing summary at /trust.
Sovereign AI, by architecture.
Most AI tools hold your code and data on their own infrastructure and reserve the right to learn from it. The cost is showing up in the wild: a 2025 audit across more than 100 models found roughly 45% of AI-generated code introduced a security vulnerability, and 170-plus AI-built apps shipped with broken access controls that exposed personal and financial data.
StackWeavers answers that structurally, not with a pledge. Your code and data live in your own cloud account, run on your own model keys, and are never trained on, on every plan. Sovereignty over your code, data, and keys is the default, not an enterprise upsell. And every deliverable clears a dedicated security-scan gate before it can merge, so issues are caught in the pipeline, not in production.
Source: Veracode 2025 GenAI Code Security Report (2025) ↗Source: The Register: 170+ AI-built apps exposed data (CVE-2025-48757) (Feb 2026) ↗
How we handle security.
Security
Access controls, encryption in transit (TLS) and at rest (AES-256), customer-cloud deploy by default, MFA on all administrative accounts, regular vulnerability scanning. Vulnerability disclosure at /.well-known/security.txt.
Availability
Production deploys land in your cloud and run on your provider's availability commitments. Enterprise SLA available. Status page at status.stackweavers.com (post-launch).
Confidentiality
No training on customer code. No fine-tuning on customer data. Zero retention with model providers via contract. Customer holds model keys on Enterprise (CMEK roadmap).
Processing Integrity
Six automated quality gates run on every deliverable before merge: architecture, code review, test coverage, security scan, performance budget, API contract. All gate results visible to the customer in real time.
Privacy
GDPR DPA available. CCPA aligned. PII detection and automated masking on the Phase 3 roadmap. Data residency routing for regulated workloads (Enterprise).
Compliance roadmap.
- • ISO 27001. On the roadmap, scoping in Q4 2026.
- • HIPAA. Eligible for Enterprise customers with a BAA. Field-level encryption in pipeline.
- • GDPR and UK DPA. DPA available today. Data-residency routing in Phase 3.
- • EU-domiciled cloud support. Scaleway and OVHCloud on the roadmap for fully EU-jurisdiction deploys (no US-jurisdiction dependency at the infrastructure layer). See the regions breakdown on /trust and the broader EU cloud landscape.
- • FedRAMP. Exploring, conditional on customer demand.
Sub-processors and contacts.
- • Sub-processor list: /legal/subprocessors
- • Data processing addendum: /legal/dpa
- • Vulnerability disclosure: /.well-known/security.txt
- • Status: status.stackweavers.com (post-launch)
- • Security contact: security@stackweavers.com