Security by architecture, not by badge wall
No certification logos we haven't earned, no vague "military-grade" claims. Instead: real isolation between containers, ScaleShield in front of every site, automatic TLS, WireGuard private networks and 2FA — here is how each layer works.
Four layers between the internet and your data
Each layer works without configuration — it is how the platform is built, not an add-on you buy.
ScaleShield WAF & bot protection
All traffic to your app passes through ScaleShield first. The WAF filters attack patterns and the bot layer blocks automated abuse before it touches your container. Included on every plan, always on.
Free automatic TLS, incl. wildcard
Certificates are issued and renewed automatically for every site — the free subdomain, your custom domains, and wildcard certificates. There is nothing to configure and nothing to let expire.
Per-site container isolation
One container per site with its own filesystem, process tree and hard RAM limit; one database per site, never shared tables. A problem in one site — yours or anyone else’s — stays in its container.
WireGuard private networks (Pro+)
A per-tenant WireGuard network encrypts service-to-service traffic and lets you keep databases and admin panels off the public internet entirely — reach them through the tunnel instead.
Keep secrets out of your repo
API keys, database URLs and tokens are managed as environment variables in the dashboard, per app. At deploy time they are injected into your container — your git history stays clean, and rotating a key means changing one field and redeploying.
- Set, edit and remove variables per app from the dashboard
- Injected at deploy time — never baked into your repository
- PR previews can carry separate values, keeping production secrets out of review environments
- Database connection details for managed Postgres 15 and Redis 7 are provided the same way
Your account is a target too
Most real-world breaches start with an account, not a server. These controls ship on the platform today.
Two-factor authentication
Available on every plan, for every user on your team.
Team roles
Owner, admin, developer, editor and viewer roles — grant the least access that does the job.
Audit logging
Administrative actions are recorded, so you can see who changed what, and when.
Scoped SFTP accounts
Give a contractor SFTP access to one directory — not your whole account. Port 2222.
And when something does go wrong
Backups run on schedule — daily, weekly or monthly — and every backup is automatically restore-tested nightly by actually restoring it into a sandbox. Per-minute uptime monitoring alerts you by email, Slack or webhook. Read how that works on our backups page — or the deploy side on deployments.
Security FAQ
How are apps isolated from each other?
Every site runs in its own container with its own filesystem, process tree and hard RAM limit, and every site gets its own database — one database per site, never shared tables. A compromise or crash in one container does not reach another.
What does ScaleShield actually do?
ScaleShield is the edge layer in front of every site we host: a web application firewall plus bot protection, terminating TLS at the edge. It filters malicious and automated traffic before it reaches your container. It is on by default on every plan, including Free.
How are TLS certificates handled?
Automatically. Every site — including free subdomains and custom domains — gets a free TLS certificate, issued and renewed for you. Wildcard certificates are included.
How are environment variables and secrets handled?
You set them per app in the dashboard and they are injected into your container at deploy time. They never need to live in your git repository, and PR preview environments can carry their own separate values so production secrets stay out of previews.
What is WireGuard private networking for?
On Pro and Agency plans, your containers join a per-tenant WireGuard private network. Services talk to each other over encrypted tunnels rather than public endpoints, and you can join the network from your own machine to reach a database or admin service that has no public port at all.
What account-level protections exist?
Two-factor authentication on every plan, team roles (owner, admin, developer, editor, viewer) so people only get the access they need, and audit logging of administrative actions. SFTP supports scoped sub-accounts for limited file access.