StackPilot App
TrustOur security posture, in plain English
Trust & security

We don't have your keys.
By design.

StackPilot App is built so the things that could hurt you - SSH keys, root credentials, env values, your codebase - never touch our infrastructure. Here's exactly what we mean.

The architecture, in one sentence

If our company disappeared overnight,
your servers and code would be fine.

StackPilot App is a desktop application. The licence server validates your purchase and ships updates — that's it. Everything that matters to your infrastructure lives on your machine and your VPS. We never see, store, transmit, or proxy any of it.

Open netstat while running a deploy — only your server's IP appears.
Sandboxed app — Tauri's WebView, no Node/Electron escape hatches.
Licence check is a single signed HTTP request to our licence server. That's our entire backend.

The full network picture

Your data, end-to-endLicence check onlyYour MacStackPilot.appmacOS Keychain~/Library/.../stplt.jsonSSH keys · tokens · .envdirect SSH · port 22commands, files, logsYour VPSUbuntu / Debianyour codeyour DBisolated site usersLicence serverlicence + update check onlyCloudflare R2signed app updates only
What lives where

A simple table.
No surprises later.

on your machine + VPS

stuff we never see
  • SSH keys & passwords - macOS Keychain, never transmitted.
  • Root passwords - Keychain entries, opt-in.
  • .env file values - On the server at chmod 640, edited in-place.
  • Your code - Only goes git provider → server.
  • Database credentials - Your VPS, your DB.
  • Git provider tokens - Stored locally, talk to GitHub/GitLab direct.

on our servers

everything we touch
  • Your licence key - The one we emailed you at purchase.
  • Licence metadata - Plan tier, seat count, expiry of updates.
  • The email you bought with - For receipts and support.
  • Per-device fingerprints - Anonymous IDs to enforce the device limit.
  • Payment metadata - Handled by Razorpay/PayPal, we get an order ID.
  • That's the full list - Anything else is on your machine.
How we keep what little we have safe

Six things we do explicitly.

OS Keychain

Sensitive values land in macOS Keychain (Windows Credential Manager on the Windows build, currently in public beta). The OS handles secure-storage hardening for us.

↳ kSecAttrAccessibleAfterFirstUnlock

Signed releases

Every binary is signed and notarised via Apple's pipeline. Auto-updates verify signatures before applying - no silent code injection.

↳ Tauri updater · Cloudflare R2 hosting

Isolated server users

Every site provisioned by StackPilot App gets its own OS user. A compromise of one site cannot touch the files or processes of another.

↳ sp_app_acme_io · chmod 750

24-hour offline grace

If licence validation can't reach our API, StackPilot App keeps working for 24 hours before nagging. You won't get locked out mid-deploy.

↳ 3-state · valid / grace / blocked

HMAC webhook verification

Every auto-deploy webhook is signed with a per-site 64-character secret. Forged payloads get rejected before any deploy logic runs.

↳ SHA-256 · constant-time compare

Encrypted portable backups

Export your whole setup as an encrypted .stplt bundle. Bring it to a new machine, decrypt, you're back. No StackPilot App account needed.

↳ AES-256-GCM · user-supplied passphrase
Receipts, not just promises

Verify everything yourself.

Watch the network

lsof -i -P | grep StackPilot while you deploy. The only IPs you'll see are your servers and our licence endpoint.

How to verify →
Read the EULA

Section 6 is "Data we collect" - fits in half a page. Section 7 is "Data we don't collect" - much longer.

Read EULA →
Inspect the binary

Notarised release builds. Signature visible via codesign -d. Build hashes published with every release.

Release hashes →
Sunset policy

If we ever shut down, we publish the offline-validation public key. Your purchased version keeps working indefinitely.

Sunset clause →
Common questions

Security & trust FAQ.

What if your company shuts down?

Your purchased version keeps working. Licence validation has a 24-hour offline grace; if we publish the offline-validation public key (our public sunset commitment), validation works forever. Your servers and your code don't depend on us at all - there's nothing to "go down" with us.

What if my computer is stolen?

SSH keys are in the macOS Keychain, which is encrypted at rest under your user account. If you've enabled FileVault (you should), the disk is fully encrypted. Revoke the affected keys on your VPS like you would for any compromised machine, then reinstall StackPilot App on your replacement.

Do you collect telemetry?

Minimal. Anonymous "the app launched" pings to inform us about active devices for licence enforcement. No deploy events, no server IPs, no usage analytics, no error reports without explicit opt-in. The exact list is in EULA §6.

Can I run this on an air-gapped network?

Not fully - licence validation needs internet at least once every 24 hours. If you need true offline operation, contact us. We can ship enterprise-style perpetual licences with offline-only validation.

Is there an audit log?

Every command StackPilot App runs against your server is written to the server's own logs (Nginx access logs, journalctl, etc.) under the system user that ran it. Multi-user audit logs (who-did-what) are on the roadmap with team collaboration.

Where is your business legally based?

StackPilot App is operated by Hayanlabs, registered in Hyderabad, India. GSTIN 36AATFH2428J1Z0. Subject to Indian data-protection law and any local laws applicable to you as a buyer.

Ready to deploy with confidence?

Architecture you can audit. Receipts you can verify. A team you can email.

See pricingView customer stories