Your code, credentials, and build artifacts are sensitive assets. Lycan is built from the ground up with security as a core principle, not an afterthought.
All credentials, API keys, certificates, and environment variables are encrypted at rest using AES-256. Access is scoped by organization role and logged in audit trails.
Fine-grained RBAC ensures team members can only access the resources their role permits. Owners, admins, and members have clearly defined permission boundaries.
Every action taken on the platform — builds triggered, certificates uploaded, team members added — is recorded with actor, timestamp, and IP address.
Create scoped API keys for CI/CD automation. Keys can be revoked instantly and are never stored in plaintext. Supports key rotation workflows.
Lycan runs on hardened Kubernetes clusters with network policies, pod security contexts, and regular vulnerability scanning. Build environments are ephemeral and isolated.
Support for TOTP-based two-factor authentication for all user accounts. Enterprise plans include SSO integration via SAML 2.0 and OIDC.
Encryption in transit: All communication between clients and Lycan servers uses TLS 1.3. WebSocket connections for real-time build logs are also encrypted.
Encryption at rest: Database storage, artifact buckets, and secrets vault all use AES-256 encryption with regularly rotated keys.
Data residency: Enterprise customers can specify data residency regions. Self-hosted runner deployments keep build data entirely within your own infrastructure.
Artifact retention: Build artifacts are retained per your plan settings. You can configure retention policies and delete artifacts on demand.
Found a security vulnerability? We take security reports seriously and respond promptly. Please email us at [email protected] with details. We aim to acknowledge all reports within 24 hours.
Contact Security Team