Security

Built for audit. Honest about progress.

What we do, where your data lives, what we never do with it, and which certifications are signed versus still in progress. Each section below is tagged so you can scan the posture before reading the prose.

Live today In progress On the roadmap

Hosting

Live today

Starport runs on Cloudflare's global network: Workers at the edge, Durable Objects for stateful actors, R2 for artifacts, KV for config. Multi-region active today. Dedicated US-only and EU-only regions are on the roadmap.

Encryption

Live today

TLS 1.3 in transit, AES-256 at rest. Per-tenant encryption keys. Bring-your-own-keys via KMS, rotated on your cadence, never logged on our side.

Tenant isolation

Live today

Every workspace is a logically isolated tenant. Tenant ID is enforced at every read and write path. Cross-tenant queries are unreachable by construction, not by policy: the wrong tenant ID returns empty, not denied.

Receipts as evidence

Live today

Every governed action emits a tamper-evident receipt: who did what, on which resource, against which goal, with which result. Replay any action from its receipt. Export the entire log as signed JSON on demand.

Models and your data

Live today

We never train models on your data. Ever. When you bring your own model keys (Anthropic, OpenAI, Google, or self-hosted), prompts and completions flow directly to your provider under your contract, not ours.

Vulnerability disclosure

Live today

Responsible-disclosure inbox: security@starport.to. We acknowledge within 24 hours and triage within 72. A formal bug bounty is on the roadmap; terms available on request in the meantime.

Audit posture

In progress

SOC 2 Type II audit is in progress, not complete; the report will be published the day it's signed. ISO 27001 readiness work is underway, targeted Q3 2026. GDPR-aligned today.

Regional residency

On the roadmap

Dedicated single-region deployments (US-only, EU-only) are on the roadmap behind general-availability gating. Today, every workspace is multi-region on the Cloudflare edge.

Audit timeline

SOC 2 Type II is in progress, not complete.

The audit happens on a quarter cadence. We publish the report the day it's signed, not before.

  1. Q1 2026 Readiness

    Policies, controls, and evidence collection started

  2. Q2 2026 Audit

    Type II observation window, auditor selection

  3. Q3 2026 Report

    Type II report signed and published

  4. Q4 2026 ISO 27001

    ISO 27001 readiness reaches certification audit

Need our security posture in detail? Email security@starport.to. We'll respond inside one business day.

Coming · Starscope

Receipts your auditor opens, not us.

Every governed action emits a tamper-evident receipt: the goal, the steps, the evidence. Starscope is the public lens we are shipping in 2026 Q4. A stranger lands on the receipt URL, replays the chain, verifies the signatures, and answers their own question without asking us. The replay runs on our infrastructure; the cryptographic chain is verifiable on theirs.

A receipt is honest when its oracle was independent. The receipts you produce in Starport are signed against external timestamps and replayable by anyone holding the receipt ID. We do not gatekeep the audit.

One workspace. One bill. One Monday from now.

One Monday from now, your stack is one app.

Open Starport. Sign in once. Cancel the other twelve on Tuesday.