Security Practices

A condensed summary of Anvil's security program. For the detailed customer-facing packet — including our SOC 2 Type II report (in progress), vendor list, and incident history — request via anvil@koydo.app.

Engineering hygiene

• All production access gated by SSO + hardware keys.
• Secrets in Infisical; no secrets in Git.
• Dependency updates via Renovate; weekly audit reviewed by the team.
• Every container image signed via cosign; verified at deploy time.

Incident response

24/7 pager rotation on Enterprise; next-business-day on Team. Sev-1 post-mortems shared with affected customers within 72 hours.