Security
How S6S.ai protects your data, credentials, and workflows.
Our security commitment
S6S.ai is a workflow engine that handles sensitive credentials on your behalf. We treat security as foundational, not optional. Every credential is encrypted, every session is verified, and every API call is authenticated. If you have questions about our security practices, contact [email protected].
Credential Encryption
- All OAuth tokens and API keys are encrypted at rest using AES-256-GCM
- Encryption keys are stored separately from encrypted data
- Credentials are never logged or included in error reports
- Agents never have access to raw credential values
Token Management
- OAuth tokens are refreshed automatically before workflow execution
- Expired tokens are rotated without manual intervention
- Revoked credentials are deleted immediately from our systems
- Per-user credential scoping prevents cross-user access
Authentication
- JWT-based sessions with HTTP-only, secure cookies
- Google OAuth and GitHub OAuth for sign-in
- API keys for programmatic access with Bearer token auth
- CSRF protection via state parameter in OAuth flows
Infrastructure
- All traffic encrypted in transit via TLS/HTTPS
- Application deployed on isolated containers
- Database connections encrypted and access-controlled
- Regular dependency updates and vulnerability scanning
Data Handling
- Workflow execution logs are scoped to the workflow owner
- Step outputs are stored temporarily for monitoring, not permanently indexed
- No third-party analytics or tracking on authenticated pages
- Google API data usage complies with Limited Use requirements
Access Control
- API keys can be created and revoked from the dashboard
- Each API key is scoped to the creating user's account
- Middleware enforces authentication on all protected routes
- Public API endpoints are rate-limited
Responsible Disclosure
If you discover a security vulnerability in S6S.ai, please report it responsibly. We take all reports seriously and will respond within 48 hours.