Security

Last updated: January 2026

Our Commitment to Security

Security is foundational to Instructionly. As a platform that integrates with your development workflow, we understand the importance of protecting your data and maintaining your trust.

Infrastructure Security

AWS Infrastructure

Hosted on AWS with SOC 2 compliant infrastructure, utilizing VPCs, security groups, and encrypted storage.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys are hashed and never stored in plain text.

Access Control

Role-based access control within workspaces. Internal systems use least-privilege access principles.

Monitoring

24/7 monitoring for security events, anomalies, and system health. Automated alerts for suspicious activity.

Application Security

  • Authentication: Secure password hashing with bcrypt, optional OAuth with Google
  • Session Management: JWT tokens with short expiration, secure cookie handling
  • API Security: Rate limiting, input validation, and protection against common attacks (XSS, CSRF, SQL injection)
  • MCP Authentication: Unique API keys per user, scoped to specific workspaces
  • Dependency Management: Regular audits and updates of third-party packages

Data Protection

  • Database: PostgreSQL with encrypted connections and automated backups
  • Secrets Management: AWS SSM Parameter Store for sensitive configuration
  • Payment Data: Handled entirely by Stripe; we never store card numbers
  • Logs: Sanitized to remove sensitive information before storage

What We Don't Do

  • We never access your source code or IDE contents
  • We don't store AI conversations between you and your IDE
  • We don't share your data with third parties for advertising
  • We don't use your instructions to train AI models

Incident Response

In the event of a security incident:

  • We have documented incident response procedures
  • Affected users will be notified within 72 hours as required by law
  • We conduct post-incident reviews to prevent recurrence
  • Significant security updates are communicated via email and in-app notifications

Responsible Disclosure

We appreciate the security research community. If you discover a vulnerability:

  • Email us at support@instructionly.io
  • Provide sufficient detail to reproduce the issue
  • Give us reasonable time to address the issue before public disclosure
  • Do not access or modify other users' data

We commit to acknowledging reports within 48 hours and keeping you informed of our progress.

Compliance

We are committed to meeting security and privacy standards:

  • GDPR: Full compliance for EU users, including data portability and right to deletion
  • CCPA: Compliance for California residents
  • SOC 2: Working toward certification (planned 2026)

Contact

For security-related inquiries:

support@instructionly.io