Security at SICKR

AI coding agents are powerful and fallible. Our approach is to make agent work observable, governable, and reversible by design rather than to promise that automation is risk-free. We pair local-first visibility (Arc) with server-side governance records (Prime Workflow) so teams can see what agents did, gate what they are allowed to do, and keep an audit trail of why.

• Observe — watch and replay agent sessions locally before granting any new authority.
• Simulate — exercise governed workflows and dependency-gated execution before they touch anything real.
• Expand — grow agent scope deliberately, with approvals, evidence, and review as confidence grows.

Arc is designed to be local-first: the CLI records agent sessions to your machine and applies best-effort redaction of known secret patterns before content is written or transmitted. Redaction reduces accidental exposure but is not a guarantee, and live/replay viewing and share links are opt-in actions you control. You decide what to capture and what to make viewable.

Prime Workflow keeps tickets, workflow configuration, approvals, evidence, audit logs, comments, planning records, and metrics as server-side product records. These records exist so governed work is accountable: who asked for what, what an agent did, what evidence was produced, and who approved it.

Workflows can require human approval and human-intervention states before sensitive transitions. Dependency gates keep blocked work out of the dispatch pool until prerequisites complete. The intent is that consequential actions pass through a person, not around one.

• Authentication via GitHub OAuth — SICKR does not store account passwords.
• Organization, group, and team roles control who can view and change what.
• Encryption in transit (TLS) and encryption at rest on our managed stores.
• Access to production data is limited to staff with an operational need.

Connected agents use scoped API keys, and the CLI’s redaction layer is designed to keep known secret patterns out of captured content. You remain responsible for the credentials, keys, and connected accounts you authorize, and for rotating or revoking them as needed.

When you connect GitHub, Stripe, an AI/model provider, or another integration, data flows to that provider under its own security and privacy terms. Choose integrations and configurations appropriate to the sensitivity of your data. Payment data is handled by Stripe and does not reach SICKR’s servers in full.

We aim to process what is needed to provide the Services and to keep short, plan-dependent retention windows for ephemeral data such as live/share content. We are continuing to refine retention and minimization controls; see the Privacy Policy for current handling.

Production access, sensitive data, deployments, and irreversible actions should be introduced through deliberate scope expansion, customer approval, and appropriate security review — not enabled autonomously by default. Our AI-Agent Use and Governance Policy describes the recommended operating model.

We describe our posture plainly. SICKR does not currently hold SOC 2, ISO 27001, HIPAA, or similar certifications or attestations, and we do not represent the Services as end-to-end encrypted or as storing no customer data. Some advanced enterprise controls — such as SSO/SAML, custom retention controls, formal compliance reports, and advanced role-based access policies — may require a separate agreement or may be introduced as the platform matures. If you have specific security or compliance requirements, use the security disclosure form.

We welcome good-faith security research. Please report security concerns through the security disclosure form with enough detail to reproduce and evaluate the issue, and give us a reasonable time to respond before public disclosure. Test only against assets you are authorized to test (see the Acceptable Use Policy). Do not include sensitive third-party data, secrets, or production credentials in a report unless we specifically request them through an agreed secure channel.

For security reports and questions, use the security disclosure form. For general product support, use the support contact form.