devcast

Security

Last updated: February 2026

Overview

Devcast takes security seriously. This page describes how we protect your data, content, and account. Devcast is an early-stage product (MVP) and our security practices will evolve as the platform matures.

Data in Transit

All communication between your browser and Devcast is encrypted using TLS. API requests, file uploads, and video delivery all use HTTPS.

Data at Rest

Data at rest is encrypted by our infrastructure providers. Files are stored in Supabase Storage with server-side encryption. Database records are stored in Supabase-managed PostgreSQL with encryption at rest.

Processing

Video processing (FFmpeg compositing, audio extraction) runs in isolated Docker containers on Railway. Intermediate files (temporary audio, video segments) are cleaned up after each job completes.

Authentication

User authentication is handled by Supabase Auth with cookie-based SSR sessions. API keys use a dc_* prefix and are stored as SHA-256 hashes — we never store plaintext API keys.

Access Control

Database access is enforced through Supabase Row Level Security (RLS). Users can only access their own data. Service-level operations (background jobs, admin tasks) use a separate service role with elevated permissions.

AI Provider Data

When you create an AI avatar, your onboarding video is sent to third-party AI providers (e.g., ElevenLabs, D-ID, HeyGen) for voice cloning and likeness processing. These providers process data under their own security and privacy policies. We only send data necessary for avatar creation.

Retention

Intermediate processing files are deleted after video generation. Generated videos are retained until you delete them or close your account. Account data is retained until you request deletion.

Consent Model

AI avatar creation is fully opt-in and requires explicit user consent. Users can generate videos without an avatar using walkthrough-only formats.

Error Tracking

We use Sentry for error tracking on both client and server. Sentry captures error stack traces and request metadata but is configured to avoid collecting personally identifiable information (PII).

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly by emailing hello@devcast.ai. We appreciate responsible disclosure and will respond promptly.

MVP Disclaimer

Devcast is an early-stage product. While we follow security best practices, our infrastructure and processes are actively evolving. We do not yet offer SOC 2 compliance, penetration test reports, or formal security certifications.