Security Questionnaire
Pre-filled SIG Lite
All 19 SIG Lite risk domains (A through S), answered proactively through the lens of zero-knowledge architecture. Your security team can evaluate DevSafe without scheduling a call or waiting for a response.
What is SIG Lite?
The Standardized Information Gathering (SIG) questionnaire is an industry-standard framework developed by Shared Assessments for evaluating third-party risk. SIG Lite covers 19 risk domains (A through S), from encryption and access control to compliance and AI risk.
Most vendors make you request this document and wait days for a response. We publish it here because transparency is faster than process. Every answer below is framed through DevSafe's zero-knowledge architecture: if we cannot access the data, most risk domains resolve to a single architectural fact rather than a list of policies. If your security or procurement team needs to evaluate DevSafe, this page has the answers.
The zero-knowledge advantage
DevSafe cannot access your code or backups, even if compelled. Encryption happens on your machine with your key. We never see it, store it, or transmit it. This architectural fact simplifies many SIG Lite answers: if we cannot access the data, we cannot leak it, train on it, or share it. Zero-knowledge is not a policy. It is a constraint.
Each domain below shows a relevance level indicating how directly that risk domain applies to DevSafe.
Risk domains
A. Enterprise Risk Management MEDIUM
HXA Labs maintains a risk management framework appropriate to its size and operating model. Security review processes are documented. The company operates under a priority stack: Safety > Truth > Trust > Quality > Capability. All product and engineering decisions are evaluated against this hierarchy. The founder is Deaf, which ensures accessibility is a core value rather than an afterthought. WCAG 2.1 AA is the accessibility target for all web properties.
B. Nth Party Management HIGH
Four sub-processors: Cloudflare (hosting, CDN, WAF), Supabase (auth, database), Stripe (payments), Resend (transactional email). None of these sub-processors access customer code or backups. The sub-processor list is published on the Trust Center. Customers receive 30-day notice before any changes to the sub-processor list.
C. Information Assurance HIGH
AES-256-GCM encryption is performed client-side before any data leaves the customer's machine. Encryption keys are generated locally and never leave the customer's environment. DevSafe has zero access to plaintext customer data. The backup format is documented and open, allowing independent verification.
D. Asset and Information Management HIGH
Customer data classification: Service data (email address, usage metrics) is handled by DevSafe. Customer code and backups are encrypted and stored in customer-owned infrastructure. DevSafe never stores or has credentials to access customer storage. Data retention: Service data is deleted upon account termination.
E. Human Resource Security LOW
Standard security awareness practices are in place. HXA Labs is a small, founder-led team with a security-first culture. The zero-knowledge architecture reduces the human risk surface: even with full infrastructure access, team members cannot decrypt customer backups.
F. Physical and Environmental Security N/A
DevSafe operates no physical infrastructure. DevSafe's website and application are hosted on Cloudflare Pages. Customer backups are stored in customer-owned Cloudflare R2 or S3 buckets (not DevSafe infrastructure). Supabase provides managed PostgreSQL for auth and account data. Physical security responsibilities are delegated to these sub-processors, each of which maintains their own SOC 2 and ISO 27001 certifications.
G. IT Operations Management MEDIUM
DevSafe is a single Go binary with zero runtime dependencies. No Docker, no Node.js, no Python. Deployments to Cloudflare Pages are immutable with instant rollback capability. SSL certificates are provisioned automatically. The database runs on Supabase (managed PostgreSQL with encryption at rest). DevSafe operates no self-managed servers. Server patching, hardening, and OS-level security are the responsibility of the managed service providers.
H. Access Control HIGH
Authentication methods: email and password, magic link (email), or GitHub OAuth. Optional TOTP multi-factor authentication. Passwords hashed by Supabase Auth, never accessible to DevSafe. Sessions are managed through Supabase Auth with JWT tokens. The principle of least privilege is applied across all systems. Team plans support role-based access with Owner and Member roles.
I. Application Security HIGH
DevSafe ships as a single Go binary compiled from source with a minimal dependency chain. All database access uses parameterized queries. Input validation is enforced on every request. CORS is locked to devsafe.com. Security headers are deployed: HSTS, Content Security Policy, X-Frame-Options, and X-Content-Type-Options.
J. Cybersecurity Incident Management MEDIUM
An incident response plan is documented. Breach notification is provided within 48 hours. The scope of any potential breach is limited to service data (email addresses, usage metrics). Customer code and backups are encrypted and inaccessible to DevSafe even in a breach scenario. The zero-knowledge architecture means a compromise of DevSafe infrastructure cannot expose customer source code.
K. Operational Resilience MEDIUM
The backup format is open and documented. Customers can restore their backups without DevSafe: decrypt with your key, restore with standard git tools. No vendor lock-in. Backups are stored in customer-owned storage and survive DevSafe outages, account changes, or service discontinuation.
L. Compliance Management HIGH
GDPR: Aligned. Privacy by design. Data subject rights supported. DPA available (Version 1.0, June 2026). HIPAA: Technical safeguards addressed through zero-knowledge architecture. BAA template in preparation. SOC 2 Type II: Observation period target 2027. CCPA: Aligned. No sale of personal data.
M. Endpoint Device Security LOW
The DevSafe CLI runs on customer endpoints as a standard user-level process. No persistent daemon. No privileged access required. Read-only access to git repositories. The binary does not install background services, kernel extensions, or system-level hooks.
N. Network Security MEDIUM
DDoS protection is provided by Cloudflare. A Web Application Firewall filters malicious requests. Bot detection and blocking are enabled. TLS 1.2 or higher to DevSafe infrastructure and storage providers. HTTPS is enforced; HTTP connections are not accepted. Private networking is used between internal services.
O. Privacy HIGH
Zero-knowledge architecture. No third-party analytics tracking. No customer data used for training. Customer code is never seen, shared, or sold. GDPR data subject rights are supported. CCPA aligned: no sale of personal data. Privacy is architectural, not policy-based. DevSafe cannot access customer data even if it wanted to.
P. Threat Management MEDIUM
Cloudflare WAF and DDoS protection are active on all endpoints. Rate limiting is enforced on all API endpoints. Bot detection and blocking prevent automated abuse. The threat surface is intentionally small: a single Go binary with no runtime dependencies and no self-managed servers.
Q. Supply Chain Risk Management HIGH
DevSafe ships as a single Go binary with a minimal, audited dependency chain. Every dependency is a documented trust decision. No runtime package managers, no dynamic module loading. The CLI has zero runtime dependencies beyond the compiled binary. Sub-processors are limited to four (Cloudflare, Supabase, Stripe, Resend), each evaluated for security posture. The zero-knowledge architecture means a supply chain compromise of any sub-processor cannot expose customer code or backups.
R. Artificial Intelligence Risk N/A
DevSafe does not use AI or machine learning in any part of the backup, encryption, or storage pipeline. No customer data is used for model training. No AI-generated decisions affect data handling, access control, or encryption. The product is deterministic: same input, same encrypted output, every time. If HXA Labs introduces AI features in the future, they will operate under the same zero-knowledge constraint. The architecture guarantees that no AI system can access customer code or backups.
S. Cloud Hosting Services HIGH
Customer backups are stored in customer-owned Cloudflare R2 or S3-compatible buckets. DevSafe never stores backups and never has credentials to access customer storage. The customer controls their storage, their keys, and their data lifecycle. Supabase provides auth and database services with encryption at rest. HXA Labs is a tenant of its cloud providers, not an operator of cloud infrastructure.
Need a deeper review?
If your organization requires a full SIG Core questionnaire, a custom security review, or additional compliance documentation, our team is ready to help.
Request Custom ReviewFor security-specific inquiries, responsible disclosure, or compliance document requests, contact the security team.
See also: Trust Center · Security & Threat Model · Privacy Policy