Security

codewithluca runs on top-tier cloud providers with SOC 2 Type II compliance. Production data is encrypted at rest (AES-256) and in transit (TLS 1.3).

Passwords are hashed with bcrypt. We support Google SSO and offer SAML SSO on Team plans. Session tokens are short-lived and stored as HttpOnly, Secure, SameSite cookies.

Project execution is sandboxed in iframes with strict CSP. Each user's data is logically isolated by user_id at the database layer; cross-user access is blocked at the API.

codewithluca employees access customer data only when necessary for support, with the customer's permission, or to investigate abuse. Access is logged and reviewed monthly.

We run a private bug bounty program. Email security@codewithluca.app with PGP-encrypted reports. We acknowledge within 24 hours and reward valid reports based on severity.

Live status: status.codewithluca.app. We disclose material incidents publicly within 72 hours. We do not deceive customers about security.