Trust

Security & Trust

Last updated · Jul 8, 2026

Hover’s security posture starts with what it doesn’t do. Hover Cloud runs no browsers, executes none of your tests, and never receives your source code — so the most sensitive things simply never reach us. This page explains how the rest is handled.

The architecture is the security model

Cloud is a data product, not a compute product. Your specs run in your own CI; Cloud reads the results your workflow reports. We can’t leak what we never hold — the smallest possible blast radius is a design choice, not an add-on.

What stays on your machine

The @hover-dev/mcp server and the VS Code extension run locally, inside your own coding agent and editor. Playwright specs, traces, and the .hover/ knowledge files are written to your repo. Your model or API key stays with the agent you run. None of it is transmitted to us.

What Cloud stores

Data is encrypted in transit (TLS). We never receive your application source code, and Cloud never runs your tests.

  • Your account and team (via GitHub sign-in) and the repositories you choose to connect.
  • CI run results your workflow posts to our ingest endpoint: test outcomes, timing, flakiness, and failure / trace metadata — plus the coverage and business-map data derived from your own specs.
  • A per-project ingest token that authenticates your CI reporter — stored only as a SHA-256 hash, and rotatable at any time.

Hosted on audited infrastructure

We run on a small set of established providers, each of which maintains its own SOC 2 and/or ISO 27001 program:

  • GitHub — authentication and repository integration.
  • Vercel — application and site hosting.
  • Supabase — database and authentication storage.

Access & authentication

  • You sign in with GitHub — we store no passwords.
  • The Hover GitHub App requests only the repository scopes you explicitly grant, and you can revoke them from GitHub at any time.
  • CI reporting is authenticated with a hashed, revocable per-project token, separate from user sessions.

Open source & self-host

The authoring tools — the MCP, the extension, and the engine — are open source under Apache-2.0. You can read exactly what they do and run the whole authoring workflow entirely locally, never touching Cloud. There is no lock-in.

Certifications

Hover is in early access. We do not currently hold our own SOC 2 or ISO 27001 attestation — and we won’t display a badge we haven’t earned. Our infrastructure providers are independently audited, and we’ll pursue formal attestation as we grow and as customers need it. If your procurement process requires specific documentation, get in touch.

Reporting a vulnerability

Found a security issue? Email gethover@hyperyond.com with the details and steps to reproduce. We welcome responsible disclosure and will respond as quickly as we can — please give us a chance to fix it before disclosing publicly.

Privacy

For what personal data we collect and the rights you have over it, see the Privacy Policy.