Trust & Posture

Security at Launchverse

How we protect your code, your secrets and your users' data. Honest about what we do, honest about what we don't.

Encryption at rest

GitHub Personal Access Tokens stored against your account are encrypted with AES-256-GCM using a server-side master key. Database-level encryption is handled by LaunchVerse Database (managed Postgres) with disk encryption on the underlying volumes. Build artifacts in our object store are encrypted at rest with AES-256.

Encryption in transit

All traffic to launchverse.app, dashboard APIs, deployed apps and the engine control plane is served over TLS 1.3. HSTS is enforced on the marketing site, and Cloudflare sits in front of every public endpoint. SSH connections to BYOS hosts use OpenSSH defaults (curve25519, ChaCha20-Poly1305).

Authentication & RBAC

Sign-in is handled by LaunchVerse Database Auth with email/password and OAuth (GitHub) flows protected by Cloudflare Turnstile. Project access is gated by a three-tier role model — Owner / Developer / Viewer— enforced at every API route. Promotion to Owner requires an explicit, separately authorised endpoint (it cannot be done via invitation). Settings password updates require the current password.

Tenant isolation

Each deployed project runs as its own container. Build runners are short-lived, single-use VMs — one tenant's build cannot read another's. Database row-level security (RLS) is applied to every LaunchVerse Database table by default; the service-role client used for system tasks is restricted to backend routes that validate authorisation explicitly.

Secrets handling

Environment variables are stored encrypted at rest, scoped by (project_id, environment_id, key) so a non-default environment cannot leak production secrets. Secrets are never written to logs. Public-facing build logs strip known secret patterns (API keys, JWT-shaped strings) before rendering.

Data location

Application data, build artifacts and Postgres databases live in EU/US data centres (primarily Hetzner) with Cloudflare African POPs in front for latency. We do not currently offer a dedicated Africa-hosted region for managed workloads; teams that require Nigerian data residency should use BYOS with a local provider and Launchverse as the control plane only.

Auditability

Every privileged action — role change, env-var write, deploy, rollback, domain mutation, account deletion — produces a structured audit log entry. Rate limits are applied to the same set of endpoints to slow down credential-stuffing or brute-force enumeration.

Webhook integrity & replay protection

Inbound GitHub webhooks are verified with HMAC-SHA256against a per-install secret using a constant-time comparison — signatures that don't match are rejected before any work runs. Every delivery's unique ID is persisted; if the same event is re-delivered (network retry, gateway timeout) we acknowledge with 200 instead of firing a duplicate build. Engine-side webhooks are similarly deduplicated and aged out by a daily sweep.

Capacity admission control

Every deploy — from the dashboard, manual trigger, rollback, deploy hook, or GitHub push — passes through one admission gate that enforces your plan's concurrent-deploy cap, build-minute quota, and a per-tier share of host CPU and memory. There is no side-door that lets a script bypass plan limits. Admission failures return a clean rate-limit response instead of letting the build OOM-kill mid-way.

Cron & service-role hardening

Internal cron routes (capacity sweep, queue drain, orphan cleanup, subscription revert) are gated by a shared secret validated against the request's Authorization header in constant time. The Postgres functions they call are SECURITY DEFINER and granted only to service_role, so a leaked anon key cannot trigger them.

Data retention

In-app notifications are deleted after 60 days by a daily retention job — the dashboard only ever shows the most recent activity, so anything older is dead weight. Webhook delivery records are pruned after 24 hours. Build logs and deployment metadata are retained for the lifetime of the project; deleting a project deletes all of its rows in cascade. Account deletion is irreversible and tears down every owned team, project and key.

Subprocessors

Critical subprocessors: LaunchVerse Database (auth + Postgres), Cloudflare (CDN, DNS, Turnstile), Hetzner (compute), Paystack (Naira billing), GitHub (source control). The application engine that runs your container is self-hosted by Launchverse on the compute provider above and is not a separate subprocessor. We disclose changes to this list on the changelog before they take effect.

Compliance posture

Launchverse is a Nigerian company and we operate against the Nigerian Data Protection Regulation (NDPR) and the GDPR as applicable for EU-resident users. We do not currently hold a SOC 2 attestation; this is on our roadmap for 2027 once we onboard our first enterprise cohort.

Customers handling regulated data (financial services, health, public sector) are served best by our BYOS Enterprise plan— we manage the control plane while your data stays on infrastructure you control, in the jurisdiction you choose.

We sign Data Processing Agreements (DPAs) on request for paid plans. Email [email protected] and we'll route a draft within two business days.

Responsible disclosure

Found a vulnerability? Email [email protected] with a description, reproduction steps and the impact you assess. We commit to:

  • Acknowledge receipt within 2 business days.
  • Provide an initial triage and severity assessment within 5 business days.
  • Coordinate a fix and public disclosure within 90 days, or sooner if a fix lands earlier.
  • Credit you in the changelog if you want public attribution.
  • Not pursue legal action against good-faith security research that respects user data and avoids service disruption.

We don't currently run a paid bounty programme. We do send Launchverse swag and credit-on-platform for valid reports.

Have a security question we haven't answered? [email protected].

See also: Privacy Policy · Terms of Service · Changelog