Encryption

In transit

All traffic to and between our services runs over TLS 1.2 or higher, with TLS 1.3 preferred and negotiated for the overwhelming majority of connections. Plain HTTP is not redirected-then-served — HSTS with preload means browsers refuse to attempt it after first contact. Internal service-to-service traffic crosses our hosting provider's network encrypted; we do not run unencrypted internal hops, including for telemetry.

At rest

User content, context data, and run traces are stored encrypted at rest with AES-256 via our infrastructure providers' storage-layer encryption. Backups inherit the same protection. Key management is currently provider-managed: the honest description is that encryption at rest protects against stolen disks and provider-side physical compromise, not against a compromise of our own application layer — application-layer attacks see decrypted data, which is why access control and the trust kernel matter more than this paragraph.

Secrets and credentials

• ↳API keys and tokens are stored hashed or encrypted, never in plaintext at rest.
• ↳The admin key and service credentials live in the deployment platform's secret store, injected at runtime — never in the repository, never in client bundles.
• ↳Capability tokens are random, single-purpose, and scoped to one resource; they are not derived from user identity and cannot be elevated.

What we do not offer yet

Customer-managed keys (BYOK) and end-to-end encryption of user content are not currently offered. E2EE in particular is in real tension with what Y0 is — a runtime that must read your context to act on it — so any future design there will be a careful scoping exercise, not a checkbox. We list this so the absence is a stated decision, not a discovered gap.