Security

Built to be trusted with your sites.

Cockpit connects to your Webflow account and your clients’ live sites, so security isn’t a feature — it’s the foundation. Here’s how we handle it.

Encryption everywhere

All traffic is served over TLS. The Webflow and Google access tokens you authorize are encrypted at rest with AES-256-GCM — we never store them in plaintext, and decrypt only for the moment of an API call.

No passwords to steal

Sign-in is Google OAuth only — Cockpit never sees or stores a password. Webflow is connected through its official OAuth, and you approve exactly which sites Cockpit can access.

Scoped, least-privilege access

Every team’s data is isolated: queries are scoped to your team membership, so one team can never see another’s sites, tokens, or activity. Admin access to the console is a short, separate session protected by two-factor authentication.

Change management & audit trail

Changes ship through version control and review, and sensitive admin actions are recorded in an append-only audit log. Publishing to your live sites always requires an explicit, confirmed action.

Monitoring

The same uptime and error monitoring Cockpit runs for your sites, we run for Cockpit — with alerting so we hear about problems quickly.

Data ownership & deletion

Your data is yours. Delete a team and its associated data is removed within 30 days, except records we’re legally required to retain (e.g. billing). See the Privacy Policy for details.

Infrastructure & subprocessors

Cockpit runs on SOC 2-compliant infrastructure and relies on a short list of vetted providers, each receiving only what its function requires.

Railway Application & database hosting (US) SOC 2
Stripe Payment processing PCI DSS · SOC 2
Google Authentication; Sheets (opt-in) SOC 2 · ISO 27001
Webflow The site APIs Cockpit is built on SOC 2
Resend Transactional email (alerts), when enabled SOC 2

A note on compliance

Our hosting and payment infrastructure is SOC 2-compliant, and we build on top of it with the practices above. Cockpit itself does not yet carry an independent SOC 2 report — we won’t claim a certification we don’t hold. If your organization requires a formal security review, vendor questionnaire, or DPA, get in touch and we’ll work through it with you.