SaasChing

Security

Secure by design

Control who can publish, keep secrets encrypted, and ship production Agentic SaaS with guardrails—not guesswork. SaasChing Cloud is US-focused today.

Trust centerReport a security concernEnterprise & compliance →

Access and control

Enterprise

SaasChing is built for teams that need clear boundaries. Role-based permissions separate viewing, editing, approving, and publishing. Enterprise workspaces can integrate with SAML and OIDC identity providers (including Okta, Azure AD, and Google) with SCIM provisioning on our roadmap—so access stays aligned with your org chart.

Guardrails for building and publishing

Editing, approval, and going live are separate capabilities. Public access is controlled by role and environment, so teams can move fast without accidental exposure of preview apps or draft sites.

Secrets are handled securely

API keys and integration secrets are encrypted at rest and scoped by environment. They are not exposed in plaintext in logs or the builder UI. Access is limited to authorized actions in your workspace.

US data hosting

US hosting

SaasChing Cloud hosts customer workloads in the United States. We work with a limited set of vetted infrastructure partners and document subprocessors for enterprise review. Additional regions are not offered today.

Your data is not used to train models

We do not use your prompts, generated code, or workspace data to train SaasChing models. Where third-party AI providers are involved, contractual terms restrict training and retention on customer content. Your work stays yours.

Isolation by design

Each workspace and project is logically separated. Customer data is not accessible across accounts. Preview and production environments are bounded so changes are evaluated before they reach paying users.

Monitoring and abuse detection

We monitor platform activity for misuse, anomalous behavior, and compromise. Automated systems enforce rate limits on marketing forms and APIs, with high-risk activity reviewed by our team.

Automatic security scanning

Before you publish, SaasChing runs security checks on database configuration, row-level security (RLS) policies, and common misconfiguration patterns—typically in seconds. Deeper scans can review your full application stack on demand. Workspace admins can block publish on critical findings as those controls roll out.

Protected infrastructure

Production workloads run behind web application firewall (WAF) controls, network isolation, encrypted storage, and adaptive rate limiting at the IP, user, and workspace level—aligned with the enterprise-grade security included in every plan.

Frequently asked questions

Where is customer data stored?
Customer data for SaasChing Cloud is hosted in the United States. A subprocessor list is available on request for compliance reviews.
Is customer data used to train AI?
No. Your prompts, generated applications, and workspace data are not used to train SaasChing models. Third-party AI providers are bound by agreements that restrict training and retention on customer data.
Is SaasChing multi-tenant, and how is data isolated?
Yes. SaasChing is multi-tenant with logical isolation between workspaces and projects. Customer data is not accessible across accounts. Isolation is enforced at the application and infrastructure layers.
Which subprocessors does SaasChing use?
We work with a limited set of infrastructure, payment, email, and AI subprocessors. All are covered under data protection agreements. A current list is available on request for enterprise and compliance reviews.
Does SaasChing access or clone our source code?
No. SaasChing does not clone your Git repositories or require inbound access to your production environments. You can export a modern React + Supabase foundation; your repos and production perimeter stay under your control.
Does SaasChing require access to our CI/CD or production infrastructure?
No. Publishing runs through SaasChing’s controlled pipeline. We do not deploy agents inside your production network or require CI/CD credentials to ship your app and marketing site.
How are publishing controls enforced?
Publishing permissions are evaluated server-side. Editing, approval, and publishing are separate role capabilities. Production releases can require explicit approval, with publishing events attributed to the user who shipped them.
How does role-based access control (RBAC) work?
Permissions are role-based for viewing, editing, approving, and publishing. Enterprise plans support integration with SAML/OIDC identity providers. Authorization checks run server-side on every sensitive action.
How are secrets and API credentials managed?
Secrets are encrypted at rest and scoped to environments. Access is role-controlled. Secrets can be rotated or revoked without redeploying your entire stack.
Does SaasChing perform automated security scanning?
Yes. Basic checks run before publish (database config, RLS, cloud settings). Deeper codebase scans are available on demand. Dependency and configuration checks continue as you build.
Is SaasChing SOC 2 or ISO 27001 certified?
SaasChing does not hold independent SOC 2 Type II or ISO 27001 certification today. We follow security practices aligned with common enterprise frameworks and use vetted subprocessors with industry-standard attestations where applicable. Visit the Trust center or email security@saasching.ai for questionnaires and enterprise review.

Included on every plan: SSL/TLS, DDoS protection, encrypted storage, and security checks before publish.

Ready to build securely?

Compliance documentation or a security question? Use the trust center button above or email security@saasching.ai.