Secure by Design
Encryption standards, authentication, network isolation, and compliance certifications.
Secure by Design
Skytells implements defense-in-depth across every layer of the platform. Security is not an afterthought — it is a foundational design constraint applied from infrastructure provisioning through to API response delivery.
Encryption
Data in Transit
All communication with the Skytells API is encrypted using TLS 1.3. Connections using TLS 1.1 or earlier are rejected at the edge. This applies to:
- API requests and responses (
api.skytells.ai) - Webhook deliveries to your endpoints
- CDN-delivered prediction outputs (
delivery.skytells.cloud) - Dashboard and console sessions
Skytells enforces TLS 1.2 as the minimum accepted version. TLS 1.3 is preferred and used by default in all modern clients. Connections using older protocols are refused.
Data at Rest
All persistent data — account information, billing records, and prediction metadata — is encrypted at rest using AES-256 encryption. Encryption keys are managed through hardware security modules (HSMs) with automatic key rotation.
Generated outputs (images, audio, video) stored during the 5-minute retention window are also encrypted at rest on the CDN origin.
Authentication
API Keys
Every API request must include a valid Bearer token in the Authorization header:
curl -H "Authorization: Bearer sk_live_your_api_key" \
https://api.skytells.ai/v1/predictionsAPI keys follow these security practices:
| Practice | Detail |
|---|---|
| Prefixed format | Keys use the sk_live_ prefix for production and sk_test_ for sandbox, making it easy to identify key scope. |
| Irreversible hashing | Only a hashed representation of your key is stored. The plaintext key is shown once at creation time. |
| Per-project scoping | Keys can be scoped to specific projects, limiting blast radius if compromised. |
| Instant revocation | Compromised keys can be revoked immediately from the dashboard. Revocation takes effect within seconds. |
Never embed API keys in client-side code, public repositories, or mobile applications. Use environment variables or a secrets manager. If a key is exposed, revoke it immediately from the Console.
Rate Limiting
All API endpoints enforce rate limits to protect platform stability and prevent abuse. Rate limits are applied per API key and vary by account tier. See Rate Limits for detailed tier information.
Network Security
Infrastructure Isolation
Skytells inference workloads run in isolated compute environments with the following guarantees:
- Tenant isolation — Each prediction executes in an ephemeral, single-tenant container. No shared memory, filesystem, or GPU context between tenants.
- Network segmentation — Inference nodes are isolated in private subnets with no direct internet access. Egress is restricted to the CDN origin and internal services.
- Edge protection — All public endpoints are behind a global edge network with DDoS mitigation, bot detection, and Web Application Firewall (WAF) rules.
Webhook Security
Webhook deliveries include an X-Skytells-Signature header for payload verification. Always validate this signature before processing webhook payloads. See Webhooks — Security for implementation details.
Compliance
Skytells maintains the following certifications and compliance standards:
| Standard | Scope | Description |
|---|---|---|
| SOC 2 Type II | Security, Availability, Confidentiality | Independent audit of security controls over a sustained period. |
| ISO 27001:2022 | Information Security Management | Certified information security management system (ISMS). |
| ISO 27017 | Cloud Security | Controls specific to cloud service environments. |
| ISO 27018 | PII in Public Cloud | Protection of personally identifiable information in cloud infrastructure. |
Data Processing
For enterprise customers, Skytells provides:
- Data Processing Addendum (DPA) — GDPR-compliant processing terms available upon request.
- Standard Contractual Clauses (SCCs) — For cross-border data transfers involving EU/EEA data subjects.
- Subprocessor list — Maintained and updated with advance notice of changes.
Secure Development
| Practice | Description |
|---|---|
| Code review | All changes undergo mandatory peer review before deployment. |
| Dependency scanning | Automated vulnerability scanning of all third-party dependencies on every build. |
| Penetration testing | Regular third-party penetration tests conducted against the API and infrastructure. |
| Incident response | Documented incident response procedures with defined escalation paths and SLAs. |
| Responsible disclosure | Security researchers can report vulnerabilities through skytells.ai/contact. |
To request compliance documentation, a DPA, or to report a security concern, visit skytells.ai/contact.
How is this guide?