Security & compliance
Your unreleased game stays private and safe
Your project is your most valuable work. It stays private to your team and is never lost. Here's exactly how we protect it, and how you can verify every claim yourself.
Purpose-built
How we keep your project safe
Private storage, signed access
Your files live in private storage in EU data centers. Never public. Every upload and download happens over a short-lived, encrypted (TLS 1.2+) link scoped to a single project, so nothing is ever exposed to the open internet.
SHA-256 integrity verification
Every file is hashed on upload and checked again on download. You always get back the exact file you put in, byte for byte. Silent corruption can't slip through.
Role-based access control
Three clear roles (owner, admin, member) plus per-project membership. Contractors and freelancers get access to what they need, nothing more.
Complete audit logs
Every commit, sync, download, lock, and permission change is logged with actor, timestamp, and IP. Enterprise plans extend retention and include exports.
Source-available desktop app
Enterprise customers get the desktop client source code. Read the source, build it yourself, verify exactly how your data is handled. No black boxes.
Scoped API keys
API access uses per-project keys that can be regenerated instantly if compromised. No long-lived credentials, no broad org-wide tokens.
How access control works
Access is layered: • Organization-level roles determine what you can do across the org. Owners handle billing, admins manage teams, members do the work. • Project membership determines which projects a member can see. A contractor added to one project has no visibility into the rest of your org. • API keys are scoped per project. A desktop app linked to one project can't access another, even if both belong to the same org. This layered model means you can bring on a freelance texture artist for two weeks, give them exactly the access they need, and remove it cleanly when the engagement ends.
Data handling and storage
Your files are stored in private object storage in EU data centers, with physical and logical security controls. The storage is never publicly accessible: the desktop app and web dashboard reach your files only through short-lived signed links that are scoped to a single project and expire quickly. There are no public URLs to leak. Every file is verified with a SHA-256 hash on upload and again on download, so silent corruption can't slip through. If a stored file doesn't match its hash, the system refuses to deliver it. Metadata (commit messages, version history, project structure, membership) lives in PostgreSQL with standard database-level security controls.
Authentication
Web access uses Stytch B2B magic links. No passwords to leak, no password resets to compromise. Sessions are time-limited and device-bound. Desktop and CLI access uses per-project API keys prefixed with `usc_`. Keys are stored as SHA-256 hashes server-side, so even a complete database compromise wouldn't expose raw credentials. Keys can be rotated from the dashboard at any time. For Enterprise customers, SSO / SAML integration is available. Contact us to discuss.
Verifying our claims
Most of our security posture is observable: • The desktop app source code is available to Enterprise customers. Read the code, check the hashes, build it yourself. • The API is documented and uses standard HTTPS. Inspect traffic yourself. No proprietary protocols, no obfuscation. • Audit logs are yours. Export and review at any time. For studios with formal compliance requirements (SOC 2 type 2, data residency, specific contract terms), Enterprise plans include appropriate documentation and controls. Contact us for your security review checklist.
FAQ
Common questions
Are files encrypted at rest?
Files are stored on encrypted volumes provided by our storage infrastructure. For customers requiring customer-managed encryption keys or specific crypto controls, Enterprise plans offer additional options. Contact us to discuss.
Where is my data stored?
Your files are stored in private object storage in EU data centers, reachable only through short-lived signed links scoped to your project. Customers with specific data-residency requirements should talk to us about Enterprise options.
What happens if an API key is compromised?
Regenerate the project's key from the dashboard. The old key is invalidated immediately. Check the audit log for any unauthorized activity. We can help trace it if needed.
Do you support SSO?
SSO / SAML integration is available on Enterprise plans. Contact us with your identity provider details.
Can I export my audit log?
Yes. Studio plans include dashboard access to logs; Enterprise plans extend retention and include programmatic export for integration with your security tooling.
What's your incident response process?
We maintain an incident response plan and notify affected customers promptly. Enterprise contracts include notification SLAs specific to your requirements.
Have you been audited?
SOC 2 type 2 certification is on the roadmap. Enterprise customers with immediate compliance needs should contact us to discuss current controls documentation.
Keep your game private and safe
From $12/mo for solo developers. Private by default, and ready as soon as you're set up.
Book a call