Tenant isolation
Every record in ByteShift carries an organization identifier, and every read is scoped to the authenticated identity — never to a value in the URL or payload. Telemetry is isolated by namespace in the data store, and the identifier is resolved from your credentials on each request. There is no cross-tenant path by design.
Encryption
- In transit — traffic to the website, console, APIs, ingest endpoints, and MCP server is encrypted with TLS.
- At rest — sensitive credentials, such as OAuth tokens and integration secrets, are encrypted with AES-256-GCM before they are stored, and are never returned in API responses.
- Passwords — user passwords and API keys are stored only as salted hashes, never in plaintext.
Access control
Access to production systems is limited to authorized personnel on a least-privilege basis and is logged. Authentication to the Service supports session, API key, and OAuth 2.1 lanes, each scoped to a single organization. Write operations exposed to agents carry an explicit annotation so hosts can require human confirmation before anything changes.
Infrastructure
The Service runs on DigitalOcean's managed infrastructure in the United States. We build on hardened, well-maintained open-source components, apply security updates promptly, and keep our data stores off the public internet behind authenticated services.
Reliability and honesty
ByteShift is built on a “no false green” principle: a check that could not run reports as broken, never as healthy. That same discipline applies to security posture — we do not present a control as effective unless it actually ran. Availability and integrity are part of how we protect your data, not just a feature.
Responsible disclosure
If you believe you have found a security vulnerability, please tell us before disclosing it publicly. Email security@byteshift.com with enough detail to reproduce the issue. We will acknowledge your report, investigate, and keep you informed. Please do not access data that is not yours, degrade the Service, or run automated scans that affect other customers while testing — good-faith research conducted under these guidelines is welcome.
Contact
For security questions, documentation requests, or to report an incident, email security@byteshift.com.