ProductPricingSecurity
Sign inStart Free Trial

Security

How your work is isolated and protected.

A plain description of the controls in place and the limits of what the product does. For implementation detail, see SECURITY.md in the repository.

Tenant isolation

Every project, document, chunk, run, subscription record, and usage entry is owned by a single account. Database access is enforced with PostgreSQL Row Level Security: a query can only read or write rows whose owner matches the authenticated user. Isolation is enforced at the database, not only in application code.

Documents and storage

Uploaded documents live in a private storage bucket under a user-scoped path. They are served only through short-lived signed URLs generated on the server. Uploads are checked against an explicit allowlist of file types and a size limit before they are accepted.

No code execution

Generated scripts and uploaded source are never executed on our servers. Validation is static: parsing, structural checks, and safety scanning only. Uploaded Python and Tcl are inspected, never run. Correctness inside a vendor tool still requires running it there.

Logging and analytics

Prompts, generated scripts, and document contents are never written to logs, error reports, or product analytics. Telemetry records structural events (a run started, a check failed) without the underlying text.

Model provider handling

Requests to the model provider are sent with provider-side retention disabled. Only the minimum context needed for the current request is sent: the project state, the current script, the latest relevant error, your request, and the retrieved documentation snippets.

Billing webhooks

Subscription webhooks are verified with the provider's signature scheme over the raw request body before any state change is applied.

Deletion

Deleting a project permanently removes its documents, chunks, and runs, and removes the associated files from storage. Deleting your account removes your data. These operations are real, not cosmetic.

What we do not claim

Siliscripter does not claim formal security certifications it does not hold, and it does not claim to have executed or fully verified proprietary EDA scripts. Where verification depends on a vendor runtime, the product says so.