Security at Steerly
We sell a security product to security-conscious engineers, so this page is written for them: what we do to keep Steerly trustworthy, and how to tell us when something looks wrong.
Report a vulnerability. Email [email protected] with steps to reproduce. We acknowledge within one business day, do not pursue good-faith researchers, and credit reporters who want it.
On this page
01 Our posture
Steerly's whole reason to exist is to watch what coding agents do and gate the risky parts. We apply the same discipline to ourselves: least privilege, defense in depth, deny-by-default on destructive actions, and an append-only audit trail for our own operations. Trust the product earns by being flat, inspectable, and quiet about your data.
02 Data handling
- Source code is never stored. Steerly observes commands, tool events and PR diffs to classify them — it does not retain your repository contents.
- Secrets never enter audit storage. When DLP matches a secret, only byte offsets are recorded; the literal value is discarded.
- Encryption. Data is encrypted in transit with TLS 1.2+ and at rest with AES-256.
- Minimization. We collect the metadata needed to run the service and nothing we don't need.
03 Local-first design
The workbench runs on your machine because it must — to observe the agents there. Your command audit log, memory-graph notes, and policy packs live in a local .steerly/ directory. Nothing leaves the device unless your plan enables cloud policy sync or team audit, and even then only classification events are sent — never your code.
04 Application security
- Deterministic policy engine with a parity gate that prevents a rule change from ever loosening a known deny.
- Signed application builds and auto-updates for macOS and Windows.
- Dependencies are pinned and continuously scanned; security patches are prioritized.
- Code review and automated tests are required on every change to the security spine.
05 Infrastructure
Our control plane runs on hardened, reputable cloud infrastructure in isolated environments with network segmentation, managed secrets, and continuous logging. Backups are encrypted and tested. We maintain an incident-response plan and notify affected customers without undue delay if an incident occurs.
06 Access & identity
Internal access to production follows least privilege, requires SSO with multi-factor authentication, and is logged and reviewed. Enterprise customers get SSO/SAML, SCIM provisioning, per-agent identity, and configurable session policies.
07 Compliance
Steerly is built to support SOC 2 and ISO 27001-aligned controls, and produces exportable, hash-chained audit evidence you can hand to an auditor or stream to your SIEM. Enterprise plans include a security questionnaire turnaround, DPA, and regional data-residency options. Current reports are available under NDA — ask on the contact page.
08 Responsible disclosure
We welcome good-faith research. Please give us a reasonable window to fix issues before public disclosure, avoid privacy violations and service disruption, and only test against accounts you own. Send reports to [email protected]. We don't run a paid bounty yet, but we credit every valid report.