Plain English about how we handle your data.

What we hold

Cloudskill stores three categories of data: account information (organisation name, billing email, member emails), skill content (the markdown files your administrators upload to your catalogue), and usage records (timestamps showing when each member's Claude session fetched their personal URL).

We do not have access to the conversations your team members have with Claude. Cloudskill returns a manifest of allowed and denied skills at the start of each chat; what happens inside the chat is between the user and Anthropic.

The honest enforcement model

Cloudskill enforces policy the same way every other organisational policy is enforced: by telling people what they're allowed to do and trusting them to comply. When Cloudskill returns a manifest saying "Sarah may not use Skill B in this chat," Claude respects that instruction in the same way it respects any other instruction.

This is soft enforcement, not hard technical interception. A determined employee could disable the Cloudskill skill in their preferences, edit the URL it points to, or instruct Claude to ignore the restrictions. Cloudskill cannot prevent any of those things, and we don't claim it can.

For the vast majority of organisational policy, soft enforcement is the right model. It works the same way as the policy that says employees can't share customer data on personal email accounts, or that requires confidential documents stay on company devices. The policy guides the default behaviour; the consequence of breaking it is HR, not technical lockout.

If your compliance requirements demand hard technical enforcement — for example, regulated industries that require the ability to mathematically prove a particular tool was inaccessible to a particular user — Cloudskill is not the right tool for that requirement, and we'd rather you knew that now than after you bought it.

Where data is stored

Customer data is stored in the EU by default. Our primary database is hosted on Supabase in their EU region. Web traffic is routed through Cloudflare's global edge network and terminates at our worker in the closest region to your user.

US data residency is available on request for organisations that require it. Email us to discuss multi-region deployment.

Encryption

All data is encrypted in transit using TLS 1.2 or higher. All data is encrypted at rest using the encryption provided by our infrastructure providers (Supabase uses AES-256 for database-level encryption).

We never store payment card information. All billing is handled by Lemon Squeezy as merchant of record; card details are entered directly into their checkout and never touch Cloudskill's infrastructure.

Authentication

Each Cloudskill seat is identified by a unique personal URL containing a secret token. Treat this URL like a password — anyone with the URL can fetch that user's manifest. The token is generated using cryptographically secure UUIDs and is unique across all customers.

SSO and SCIM provisioning via SAML or OIDC providers (Okta, Azure AD, Google Workspace, others) is available for enterprise customers. Contact us if you need this.

Sub-processors

We rely on a small number of third-party services to run Cloudskill. Each is selected for security posture, EU presence, and contractual data protection commitments.

• Cloudflare — DNS, edge network, worker compute, web hosting. SOC 2 Type II, ISO 27001 certified.
• Supabase — primary database (Postgres). SOC 2 Type II certified.
• Lemon Squeezy — payment processing as merchant of record, including VAT collection. PCI DSS compliant.
• Resend — transactional email (welcome emails, password resets, billing notifications).
• Make — workflow automation between billing events and account provisioning.

We update this list whenever it changes. If you have a list of approved sub-processors as part of your procurement process, we can review and confirm whether our list aligns.

Compliance posture

Cloudskill is currently pre-certification. We have not yet completed SOC 2 Type II or ISO 27001 audits. Both are on our roadmap for completion within the first year of meaningful enterprise revenue, with SOC 2 Type II prioritised first.

If your procurement requires evidence of completed certifications today, we may not be the right fit yet. If you can accept self-attested security posture for now with a contractual commitment to certify within a defined timeline, we're happy to discuss.

For VAT and tax compliance, Lemon Squeezy operates as our merchant of record and handles all VAT registration, collection, and remittance globally. We are not directly registered for VAT in any jurisdiction.

Data deletion and portability

Customers can delete their organisation's data at any time from the admin dashboard. Deletion removes all account information, skill content, audit logs, and member records within 30 days. Backups are retained for an additional 30 days for disaster recovery purposes, after which all traces of the data are removed.

Customers can export their skill catalogue and audit logs as CSV at any time from the admin dashboard. We maintain export compatibility going forward; we won't change formats in ways that break your existing exports without notice.

Incident response

If we discover a security incident affecting customer data, we will notify affected customers within 72 hours of discovery, with the information we have at that point. We commit to additional updates as the situation develops and a post-incident report once the incident is resolved.

We have not had any security incidents to date.

Reporting a concern

If you've discovered a security vulnerability, please email security@cloudskill.app. We don't currently run a formal bug bounty programme but acknowledge responsible disclosures and credit researchers in our security history.

For other security questions, including procurement-driven security questionnaires, email hello@cloudskill.app and we'll respond within two business days.

Last updated: 17 April 2026