Hosting
Live todayStarport runs on Cloudflare's global network: Workers at the edge, Durable Objects for stateful actors, R2 for artifacts, KV for config. Multi-region active today. Dedicated US-only and EU-only regions are on the roadmap.
What we do, where your data lives, what we never do with it, and which certifications are signed versus still in progress. Each section below is tagged so you can scan the posture before reading the prose.
Starport runs on Cloudflare's global network: Workers at the edge, Durable Objects for stateful actors, R2 for artifacts, KV for config. Multi-region active today. Dedicated US-only and EU-only regions are on the roadmap.
TLS 1.3 in transit, AES-256 at rest. Per-tenant encryption keys. Bring-your-own-keys via KMS, rotated on your cadence, never logged on our side.
Every workspace is a logically isolated tenant. Tenant ID is enforced at every read and write path. Cross-tenant queries are unreachable by construction, not by policy: the wrong tenant ID returns empty, not denied.
Every governed action emits a tamper-evident receipt: who did what, on which resource, against which goal, with which result. Replay any action from its receipt. Export the entire log as signed JSON on demand.
We never train models on your data. Ever. When you bring your own model keys (Anthropic, OpenAI, Google, or self-hosted), prompts and completions flow directly to your provider under your contract, not ours.
Responsible-disclosure inbox: security@starport.to. We acknowledge within 24 hours and triage within 72. A formal bug bounty is on the roadmap; terms available on request in the meantime.
SOC 2 Type II audit is in progress, not complete; the report will be published the day it's signed. ISO 27001 readiness work is underway, targeted Q3 2026. GDPR-aligned today.
Dedicated single-region deployments (US-only, EU-only) are on the roadmap behind general-availability gating. Today, every workspace is multi-region on the Cloudflare edge.
The audit happens on a quarter cadence. We publish the report the day it's signed, not before.
Policies, controls, and evidence collection started
Type II observation window, auditor selection
Type II report signed and published
ISO 27001 readiness reaches certification audit
Need our security posture in detail? Email security@starport.to. We'll respond inside one business day.
Every governed action emits a tamper-evident receipt: the goal, the steps, the evidence. Starscope is the public lens we are shipping in 2026 Q4. A stranger lands on the receipt URL, replays the chain, verifies the signatures, and answers their own question without asking us. The replay runs on our infrastructure; the cryptographic chain is verifiable on theirs.
A receipt is honest when its oracle was independent. The receipts you produce in Starport are signed against external timestamps and replayable by anyone holding the receipt ID. We do not gatekeep the audit.
Open Starport. Sign in once. Cancel the other twelve on Tuesday.