Security at Web2APK AI
How we keep your code, your apps, and your users safe.
Encryption everywhere
All traffic is HTTPS-only with HSTS preload. Build artifacts and signing keystores are encrypted at rest with AES-256.
Isolated builds
Every build runs in a fresh, ephemeral container with no access to other tenants' data. Workspaces are wiped immediately after the build completes.
No password storage
We use OAuth (Google, GitHub) exclusively. We never see your password and can't have one breached.
Defensive defaults
Strict CSP, X-Frame-Options DENY, no inline event handlers, per-user rate limiting, and structured input validation on every endpoint.
Auditable
Every build action is logged with stage, timestamp, and user. Enterprise plans get exportable audit trails for compliance.
Responsible disclosure
Found a vulnerability? Report it to security@web2apk.ai. We acknowledge within 24 hours and credit researchers in our hall of fame.
Report a vulnerability
Email security@web2apk.ai with reproduction steps. We respond within 24 hours and don't pursue legal action against good-faith research.
PGP key: available on request.