// security

Security.

Your source code and binary assets are among your studio's most sensitive IP. Here's how Diversion protects them.

Encryption.

All binary objects in the Diversion object store are encrypted at rest using AES-256-GCM with per-object keys derived from a workspace-level master key. Master keys are stored in a separate key management service with hardware security module (HSM) backing.

All data in transit between clients, the delta cache, and the object store uses TLS 1.3 with forward-secret cipher suites. We enforce certificate pinning in the CLI and IDE plugins to prevent interception.

Credentials.

No plaintext credentials are stored. API tokens are scoped to workspace + permission level and stored as PBKDF2-SHA256 hashes. Session tokens expire after 24 hours of inactivity. CLI credentials are stored in OS keychain (Keychain on macOS, Windows Credential Manager, libsecret on Linux) — never in plaintext config files.

Access control.

  • Role-based access: Owner / Admin / Contributor / Read-only at workspace level
  • Per-branch lock-down: branches can require admin approval to merge
  • Audit log: all sync, lock, merge, and admin actions are logged with timestamp, user, and IP
  • Least-privilege service tokens for build farm hooks: CI tokens can only trigger sync, not branch or admin ops

Infrastructure.

The Diversion object store runs on data center infrastructure that maintains SOC 2 Type II compliance at the facility level. Diversion itself is an early-stage product and does not yet hold independent SOC 2 certification — we will publish our own audit report when it is complete. The Delta Cache layer is deployed in multiple regions to keep sync latency close to your build farm. Network segmentation isolates the key management service from the data plane.

Responsible Disclosure.

We take security reports seriously. If you discover a vulnerability in Diversion's CLI, plugins, API, or web dashboard, please report it to us before public disclosure.

Contact: [email protected] with subject line "Security Disclosure". We will respond within 48 hours and work toward a fix before coordinating public disclosure. We do not currently offer a monetary bounty program, but we'll credit you in the changelog if you'd like.