Plain English about how we handle your data.

We aim to describe our security posture accurately, including what we have not yet done. If anything here is unclear or you need more detail for a procurement review, email us.

What we hold

Cloudskill stores three categories of data: account information (organisation name, billing email, member emails), skill content (the markdown files your administrators upload to your catalogue), and usage records (timestamps showing when members download skills from your catalogue).

We do not have access to the conversations your team members have with their AI agents. Cloudskill manages your catalogue and the distribution of skill files; what happens inside an AI assistant is between the user and that AI provider.

Access control

Cloudskill controls which skills each member can download from your catalogue. Every download is recorded.

Access is enforced on a per-organisation basis: members and administrators can only see and act on data belonging to their own organisation, enforced at both the application layer and the database layer. Administrative actions (managing the catalogue, members, and access policies) require an administrator role; standard members cannot perform them.

Once a skill has been downloaded and installed, it runs inside the member's own AI agent — Cloudskill does not intercept or monitor how an installed skill is used. Treat Cloudskill as your catalogue, distribution, and audit layer, and layer it on top of your existing IT provisioning where you need strict control.

Where data is stored

Our primary database is hosted in the EU region. Web traffic is routed through a global edge network and terminates at our worker in the closest region to your user.

US data residency is coming soon. Email us if multi-region deployment is a requirement for your organisation.

Encryption

All data is encrypted in transit using TLS 1.2 or higher. All data is encrypted at rest using AES-256 for database-level encryption.

Cloudskill does not store payment card information. When billing is active, card details are entered into a PCI DSS-compliant payment processor and never touch Cloudskill's infrastructure.

Authentication

Cloudskill uses passwordless authentication. Members and administrators sign in by requesting a single-use sign-in link sent to their registered email address; there are no passwords to set, store, or leak. Administrators sign in to the dashboard to manage the catalogue, distribution, and access policies.

Sign-in sessions are managed with secure session cookies scoped to cloudskill.com. Single-use sign-in links and session credentials are validated using constant-time comparison to protect against timing-based attacks.

Email sent from our domain is protected with SPF, DKIM, and DMARC, with DMARC set to enforce (reject) to reduce the risk of spoofed email purporting to come from Cloudskill.

SSO and SCIM provisioning via SAML or OIDC providers (Okta, Azure AD, Google Workspace, others) is coming soon. Contact us if it's a requirement for you.

Audit records

Administrative and access events are written to a per-organisation audit log. Audit records are append-only and tamper-evident: once written, they cannot be modified or deleted through the application, and the database enforces this independently of the application layer. Administrators can export their audit logs as CSV at any time from the admin dashboard.

Sub-processors

We rely on a small number of third-party services to run Cloudskill. Each is selected for security posture, EU presence, and contractual data protection commitments.

• Cloudflare: DNS, edge network, worker compute, web hosting. SOC 2 Type II, ISO 27001 certified.
• Supabase: primary database (Postgres). SOC 2 Type II certified.
• Resend: transactional email (sign-in links, welcome emails, billing notifications).
• Stripe: payment processing, subscription billing, and customer billing portal. PCI DSS Level 1 certified. Card data never touches our servers — Stripe collects, processes, and stores it directly.

We update this list whenever it changes. If you have a list of approved sub-processors as part of your procurement process, we can review and confirm whether our list aligns.

Compliance posture

Cloudskill is currently pre-certification. We have not yet completed SOC 2 Type II or ISO 27001 audits. Both are on our roadmap, with SOC 2 Type II prioritised first.

If your procurement requires evidence of completed certifications today, we may not be the right fit yet. If you can accept self-attested security posture for now with a contractual commitment to certify within a defined timeline, we're happy to discuss.

Data deletion and portability

Customers can delete their organisation's data at any time from the admin dashboard. Deletion removes all account information, skill content, audit logs, and member records within 30 days. Backups are retained for an additional 30 days for disaster recovery purposes, after which all traces of the data are removed.

Customers can export their audit logs as CSV at any time from the admin dashboard. We maintain export compatibility going forward; we won't change formats in ways that break your existing exports without notice.

Incident response

If we discover a security incident affecting customer data, we will notify affected customers within 72 hours of discovery, with the information we have at that point. We commit to additional updates as the situation develops and a post-incident report once the incident is resolved.

We have not had any security incidents to date.

Reporting a concern

If you've discovered a security vulnerability, please email security@cloudskill.com. We don't currently run a formal bug bounty programme but acknowledge responsible disclosures and credit researchers in our security history.

For other security questions, including procurement-driven security questionnaires, email hello@cloudskill.com and we'll respond within two business days.

Last updated: 4 June 2026