Our infrastructure runs on managed cloud services from trusted providers, meaning we inherit enterprise-grade security defaults for encryption, availability, and access control — then layer our own application-level protections on top.
We integrate with external AI platforms (Claude, ChatGPT, Cursor, and others) via authenticated API connections, following each platform's security requirements. You control which tools connect to your workspace through scoped API keys that can be revoked at any time.
If you have questions or concerns, contact us at security@sleds.ai.
Our backend runs on Railway (Docker containers) with PostgreSQL on Neon (AWS us-east-1) and Redis on Upstash (serverless). All services communicate over private, TLS-encrypted connections. Our frontend is deployed on Vercel's edge network.
We use managed services exclusively — we don't operate our own servers, which means infrastructure patching, OS-level security, and physical security are handled by our providers. Database connections are pooled through PgBouncer and require authenticated credentials.
We use Clerk for all user authentication — sleds never sees or stores passwords. Clerk provides email/password auth with bcrypt hashing, social login (Google, GitHub), and enterprise SSO (SAML) on our Business plan. Multi-factor authentication is available and user-configurable.
AI tools authenticate via workspace-scoped API keys prefixed with sleds_ak_. Keys are bcrypt-hashed before storage and can be instantly revoked from the dashboard. All API endpoints enforce authentication and workspace-level authorization — a valid key for one workspace cannot access another.
Every workspace enforces role-based access control with four levels: Owner, Admin, Editor, and Viewer. Permissions are granular — Viewers can read and search but cannot write observations or share assets. Only Admins can manage members and API keys. Only Owners can delete a workspace.
Roles are assigned per-workspace, so a user can have different permissions across different workspaces.
| Permission | Viewer | Editor | Admin | Owner |
|---|---|---|---|---|
| Read threads & assets | ✓ | ✓ | ✓ | ✓ |
| Search context | ✓ | ✓ | ✓ | ✓ |
| Write observations | — | ✓ | ✓ | ✓ |
| Share assets | — | ✓ | ✓ | ✓ |
| Manage members | — | — | ✓ | ✓ |
| Manage API keys | — | — | ✓ | ✓ |
| Delete workspace | — | — | — | ✓ |
All data is encrypted at rest using AES-256, managed by Neon (via AWS). Database backups are encrypted with the same standard. API keys are bcrypt-hashed before storage — we never store them in plaintext.
All data in transit uses TLS 1.2+ (1.3 preferred). This covers browser-to-API, API-to-database, API-to-Redis, and MCP tool-to-API connections. No unencrypted endpoints exist.
sleds is a context layer — we store and serve your team's shared context. We do not use your data to train, fine-tune, or improve any AI models.
When you use Frost (our built-in AI assistant), context is sent to Anthropic's Claude API, which does not retain API inputs or outputs by default.
For MCP and REST API connections, sleds only receives what your AI tools explicitly send (observations, assets) and only returns context scoped to the authenticated workspace. Each connected tool's own data policies apply to how they handle responses — that's outside our control, but within yours.
All databases are hosted on Neon with automated daily backups and point-in-time recovery. Redis data on Upstash is ephemeral (session state, real-time events) and is not included in long-term backups.
Database backups are retained for 7 days. In the event of data loss, we can restore to any point within that window.
Workspace owners can delete individual threads, assets, or entire workspaces at any time. Deletion is permanent and cascading. Account deletion removes all personal data and workspace memberships.
All context is accessible via our REST API — you can export your full workspace in structured JSON at any time. We believe in zero lock-in.
We are currently building toward formal compliance certifications. Our roadmap:
We do not claim any certifications we haven't earned. For a detailed breakdown of our current security posture, see our Trust Center.
If you discover a potential security vulnerability, please report it to security@sleds.ai.
Our security team will acknowledge receipt within 24 hours, provide an initial assessment within 72 hours, and keep you updated on resolution.