Last updated · 2026-05-20
Security.
SKYCOT is built for buyers whose security review is half the sales cycle. Here's the actual posture today — no aspirational claims.
What ships today
- Audit chain. Every action is logged with a tamper-evident hash chain — verifiable months later via
argo audit verify. - Truth-boundary controls. Teammates distinguish verified evidence from unknowns and defer sensitive claims instead of inventing.
- Workspace isolation. Every primitive carries a workspace stamp; CI guards block any code that could leak across the boundary.
- Per-action role permissions. Owner / Admin / Operator / Viewer roles map to a capability allow-list for every sensitive action.
- Encryption-at-rest. Local SKYCOT installs ship with an encrypted-at-rest store. Hosted plans use managed keys.
- Magic-link auth. No passwords. Short-lived bearer tokens. Cookie revocation table for instant force-logout.
- SOC 2-ready audit trail. The hash-chained log is the load-bearing evidence for SOC 2 controls. External SOC 2 Type II attestation is not claimed on this page.
Responsible disclosure
Found something? Email security@skycot.com. We triage security reports, coordinate disclosure, and credit reporters by name when cleared and requested.
Incident notification
If a security incident affects customer data, affected customers hear from us within 72 hours of discovery through their account contact.