Security

How we keep Tessl safe

Security is foundational to how we build Tessl. This page describes our practices across infrastructure, data handling, access control, and the skills registry — so you can make an informed decision about trusting us with your codebase context.

Infrastructure

Tessl runs on a managed cloud environment. All services are containerised and deployed through automated pipelines with no manual access to production systems.

Data is encrypted in transit using TLS 1.2+ and encrypted at rest. Our database is managed and backed up continuously, with point-in-time recovery available.

We use separate environments for development vs. production. Production credentials are never used outside production, and secrets are managed through a secrets manager — never in code.

Authentication and access control

Tessl uses API keys for CLI authentication. Keys are hashed before storage and never logged. Users can create and revoke keys at any time from their account settings.

Workspaces have role-based access control. Members can be granted view or admin roles, and workspace owners control who can publish plugins to the registry. Internal workspace plugins are never exposed to the public registry without an explicit publish action.

We support SSO and OAuth-based login flows. Passwords are hashed using industry-standard algorithms and are never stored in plaintext.

Data handling

We collect only the data necessary to operate Tessl: account information, installed plugin records per project (tessl.json), and skill content you publish to the registry.

Skills and plugins you keep in private workspaces are not indexed, shared, or used to train any model. Public plugins are accessible to any authenticated user. For more information on how we handle usage data, see Sharing Usage Data in https://docs.tessl.io/legal/sharing-usage-data (https://docs.tessl.io/legal/sharing-usage-data)

We do not sell personal data to third parties. For more information on how we handle personal data, see our Privacy Policy (https://tessl.io/policies/privacy-cookies/ (https://tessl.io/policies/privacy-cookies/)).

Registry and skill integrity

Published plugins go through content validation before they are listed. We check for structural correctness and run automated review evaluations on all skills at publish time.

Plugin versions are immutable once published. Content-based fingerprinting ensures the skill installed via the CLI matches exactly what was reviewed at publish time.

Responsible disclosure

We take vulnerability reports seriously. If you discover a security issue in Tessl, please report it to us privately before disclosing it publicly. We commit to:

Acknowledging your report within 2 business days, providing a resolution timeline within 10 business days, and crediting researchers who responsibly disclose valid issues — if they wish.

We ask that you do not access, modify, or delete data belonging to other users; do not run automated scanners against our production infrastructure; and give us reasonable time to remediate before public disclosure.

Send vulnerability reports to our security team. Please include a description of the issue, steps to reproduce, and your assessment of severity: security@tessl.io (mailto:security@tessl.io) (mailto:security@tessl.io (mailto:security@tessl.io))