Security
Security at Patchly
We take the security of your error data seriously. This page documents our current posture honestly — including what we haven't done yet.
Encryption in transit
All traffic between your app, the Patchly SDK, and our endpoints is encrypted via TLS 1.2+. We enforce HTTPS; plain HTTP requests are rejected.
Encryption at rest
Database volumes (Turso / libSQL) and blob storage (Cloudflare R2) are encrypted at rest using AES-256. Encryption keys are managed by the infrastructure provider.
Access controls
Dashboard access requires GitHub OAuth. Agent API tokens are SHA-256 hashed before storage and shown only once on creation. Cross-tenant access returns 404 — not 403 — to prevent existence leaks.
Dependency management
We use automated dependency scanning (Dependabot / pnpm audit) on the monorepo. Critical CVEs are patched within 7 days; high-severity CVEs within 30 days.
What we don't store
Patchly does not store raw card numbers (payment is delegated to Stripe), passwords (auth is delegated to GitHub OAuth), or source code (only source maps and stack traces). We strongly recommend scrubbing PII from error events before sending — the SDK includes a beforeSend hook for this.
Reporting a vulnerability
If you discover a security vulnerability, please email security@patchly.cc with a description of the issue and steps to reproduce. We will acknowledge receipt within 48 hours and provide an estimated fix timeline.
We ask that you give us reasonable time to patch before disclosing publicly. We do not currently offer a bug bounty program, but we will credit researchers who report valid vulnerabilities (with their permission).
Infrastructure
The ingest API runs on Cloudflare Workers (distributed globally, no persistent server). The dashboard runs on Vercel (Node.js, U.S. regions). The database is hosted on Turso's managed infrastructure. We do not run our own data center hardware.