Built to be auditable
StateAnchor never writes to your repo, never stores your source code, and never modifies your deployed services. We do write the things we have to: gate verdicts, an entry to the public Merkle log per sync run, and exception records -- enumerated in full below.
What StateAnchor does and does not do
Does
Never does
How the architecture enforces these guarantees
Desired-state plane
stateanchor.yaml is the only authoritative source. Nothing writes back to it automatically. Not scanners. Not runtime probes. Not the gate. The spec is declared. Everything else is derived.
Observation plane
Source scanners and optional runtime probes detect what your live API actually does. This plane is observational only. It surfaces warnings. It informs the gate. It never overwrites the spec and never becomes authoritative.
Derivation plane
SDKs, your MCP server, OpenAPI 3.1 docs — all derived from the spec. Never the source of truth. When the spec changes, they rebuild. They are consequences, not causes.
StateAnchor implements a generalized reconciliation closure engine — the API contract use case is the first application.
The gate is conservative by design
Always blocks
Endpoint removed. Required field deleted. Type changed. Auth scheme changed. No threshold. No override without a scoped exception recorded in the exception ledger.
Blocks above threshold
Optional field removed. Deprecation violated. Response shape changed. Configurable enforcement per team.
Always passes
New endpoint added. Optional field extended. Description changed. Additive changes never block your pipeline.
The categorical lane drives the gate decision. Not a score. Not a heuristic. If the lane is ERR, the gate blocks. No exceptions without an explicit override recorded in the exception ledger.
Data retention
We store
We never store
Sync run records are retained for 90 days. Older records are archived and available on request for paid plans. Export your data at any time from Settings → Export.
Encryption and data handling
Encryption at rest
Supabase provides AES-256 encryption at rest for all customer data. Encryption is applied at the storage layer and requires no additional configuration from customers.
Encryption in transit
All data in transit is encrypted via TLS 1.2+ enforced at the Vercel edge. Connections that do not meet this standard are rejected before reaching the application layer.
HIPAA
StateAnchor manages API specification files and gate decision records. It does not process, store, or transmit Protected Health Information (PHI) as defined under HIPAA. If your use case involves PHI, please contact us before proceeding — StateAnchor’s standard service agreement does not include a Business Associate Agreement.
GitHub access
StateAnchor requests the minimum GitHub App permissions required:
StateAnchor’s GitHub App never writes to your repository. The GitHub Actions workflow that runs the gate separately uses GitHub’s built-in GITHUB_TOKEN (not the StateAnchor App) to post gate verdict comments on pull requests — this requires pull-requests: write in your workflow permissions. That permission is scoped to PR comments only and does not grant access to your code or branches.
We never request write permissions on the GitHub App. Installation can be revoked at any time from your GitHub App settings.
StateAnchor also subscribes to push and pull_request webhook events. Webhooks are event subscriptions, not GitHub App permissions.
Security program
StateAnchor’s SOC 2 Type I audit is in progress. Our security posture is designed from first principles rather than checked post-hoc: our append-only audit trail, cryptographic provenance chain, and public Merkle log are architectural decisions — not compliance theater. If your organization requires SOC 2, contact us — we’ll discuss timeline and scope.
Incident response
We maintain an incident response plan with a 72-hour customer notification commitment for security incidents affecting customer data. Historical incidents (if any) are disclosed in our changelog.
Dependency scanning
Dependencies are monitored via GitHub Dependabot with automatic security alerts on all critical and high CVEs.
Sub-processors
The following third-party services process customer data on StateAnchor’s behalf.
| Provider | Purpose | Data processed | Region | Security page |
|---|---|---|---|---|
| Vercel | Infrastructure and hosting -- serves all web traffic and serverless API routes | HTTP request logs, edge function execution metadata; no customer API spec content stored at this layer | USA | vercel.com/security |
| Supabase | Relational database -- stores all customer and application data at rest | API spec YAML content; gate decision results; user account records (email, credit balance); sync run history; Merkle log entries | USA | supabase.com/security |
| Clerk | Authentication and identity management -- handles sign-in, session tokens, user records | Email address; hashed passwords; session tokens; authentication event logs | USA | clerk.com/security |
| Trigger.dev | Background job processing -- runs the sync pipeline workers and scheduled tasks | Sync job payloads (project ID, commit SHA, spec diff hash); job execution logs; retry state | USA | trigger.dev/security |
| Anthropic | AI generation -- produces SDK wrappers and MCP server artifacts from API specs | API spec YAML content submitted for generation only; no customer PII is transmitted to this service | USA | trust.anthropic.com |
Sub-processors maintain SOC 2 compliance programs. Individual certification levels vary; Type II reports available on request. StateAnchor does not sell, rent, or share customer data with any party not listed above.
Every gate decision, cryptographically verifiable
StateAnchor maintains a public, append-only, cryptographically verifiable record of every gate decision it has ever made. Each entry is hashed using RFC 6962, forming a Merkle tree that can be independently audited at any time. This means you can verify that StateAnchor has never silently changed a verdict, never deleted a record, and never back-dated a decision — without trusting StateAnchor’s word for it.
RFC 6962 compliant. Append-only. Every gate decision, cryptographically verifiable.
Merkle log and private repositories
The public Merkle log records your gate verdict, syndrome hashes, and commit SHA for each sync run. Commit SHAs from public repos are already public, and a SHA alone reveals nothing without access to the repo itself.
If you have a private repo and want your commit SHAs excluded from the public log, email support@stateanchor.dev and we will enable private-mode logging for your project — verdict and timestamp are still recorded, the SHA is not.