M MarBoba
Start free
Security

How MarBoba handles the scary parts.

MarBoba holds tokens that can create repos on your behalf, push files to them, and set CI/CD secrets. That level of access gets taken seriously. This page describes how we handle it today. Nothing is final — if something here is wrong for your threat model, tell us.

Secret storage

  • Every secret in the Vault is encrypted with envelope encryption using Google Cloud KMS. Firestore stores the wrapped ciphertext; the DEK never leaves Google's HSM boundary.
  • Plaintext is only decrypted inside Cloud Functions for the brief window needed to push the secret to your VCS or return a revealed value to an authorized UI session. It is never logged and never persisted unencrypted.
  • API keys (the ones MarBoba issues to your app) are SHA-256 hashed on creation. Only the hash is stored. If you lose the key, you rotate — we can't recover it.

Access to your repositories

  • You provide the VCS token. MarBoba stores it like any other Vault secret (KMS-encrypted) and uses it only for actions you explicitly authorize (create repo, push pipeline file, list runs, cancel runs).
  • Token scopes are documented per-provider in the setup flow. We ask for the least permissive scope that lets the feature work.
  • We never read source code. The pipeline file we push is the only thing we ever write. Everything else is read-only metadata — run status, job logs, branch names, PR state.

Audit trail

Every action that touches a secret, creates a pipeline, or changes a feature flag is written to an audit log tied to the actor UID and the organization. Sys-admins can export the log; it's surfaced in the Audit Logs screen under System.

Authentication

  • Firebase Authentication with email/password, Google, or SAML SSO (Scale+)
  • TOTP-based MFA enforced at the org or individual level
  • Session tokens rotate daily; revocable per-device

Infrastructure

  • MarBoba runs on Google Cloud — Firestore, Cloud Functions, Cloud Storage, KMS
  • All traffic is TLS 1.2+ with HSTS
  • SSL certificates are managed by Firebase Hosting + Let's Encrypt
  • Nightly backups of Firestore with 30-day retention

Responsible disclosure

Found a vulnerability? Email security@somexai.com with reproduction steps. We'll acknowledge within two business days and coordinate a fix + disclosure timeline with you. We don't have a bug bounty program yet, but we do credit researchers publicly with permission.

Subprocessors

A short list of services we entrust with customer data. Changes to this list are published in-app and in the changelog.

  • Google Cloud Platform (Firestore, Cloud Functions, KMS, Cloud Storage, Hosting)
  • Firebase Authentication (Google)
  • Stripe (billing only — no code/secrets touch Stripe)
  • SendGrid (transactional email only)

Compliance

SOC 2 Type II is on our roadmap; the in-product Compliance screen already surfaces the controls we track internally. GDPR DPAs are available on request to legal@somexai.com.