Security
How Layerwise protects your work
Layerwise is built to help teams create, preview, and publish applications with AI. Security work focuses on account access, project isolation, generated code handling, and production publishing boundaries.
For vulnerability reports or security review questions, contact security@layerwise.app.
Platform Security
- Layerwise stores the product data needed to run the service, including account records, team metadata, project state, billing records, and usage information.
- Project work is provisioned into sandbox environments for preview, file operations, and agent-managed app changes.
- Published apps route through Cloudflare-backed release infrastructure, separate from the Layerwise authoring workspace.
- Project deletion includes cleanup paths for sandboxes, routing state, custom hostnames, and published workers.
Access Control
- GitHub OAuth and email OTP sign-in are supported today.
- Role-based access control is available for teams, with owner, admin, editor, and viewer roles.
- MFA is in progress.
- SSO and SAML are in progress.
AI And Code Handling
- Generated app work runs in project sandboxes instead of the public site runtime.
- Layerwise stores project metadata in the web database, while agent session history is kept in ACP-managed files.
- Permission requests and tool activity are projected from agent history so the UI can show what happened.
- Users are responsible for reviewing and testing generated code before deployment.
Operational Security
- Secrets are read through environment variables and provider-managed integrations.
- Stripe handles payment method collection and billing workflows.
- Account deletion is blocked while the user owns teams, which prevents accidental ownership loss.
- Formal security certifications are in progress.
Shared Responsibility
Layerwise protects the platform, including accounts, team membership, project metadata, sandbox routing, and production publishing controls. Customers control the prompts, source files, generated applications, external services, secrets, and domains they connect.
Incident Response
- Triage reports sent to security@layerwise.app.
- Contain affected systems and preserve relevant logs.
- Investigate scope, affected users, and required remediation.
- Notify impacted customers when action is required.
Privacy And Legal
Layerwise does not sell personal information. See the Privacy Policy and Terms of Service for more detail on data use, account responsibilities, and service terms.