Security & Privacy
Cloud Connect is designed with security at its core. Your code stays on your machine—only control messages and status data flow through our relay.
Core Security Principles
Your Code Never Leaves
Cloud Connect only transmits status messages and control commands. Your source code, files, and sensitive data stay on your local machine.
End-to-End Encryption
All connections use TLS 1.3. Messages between your devices are encrypted in transit and cannot be read by the relay.
No Inbound Exposure
Your machine makes outbound connections only. There are no open ports, no public IP requirements, no attack surface.
User Isolation
Strict access controls ensure you can only communicate with your own devices. Cross-user routing is blocked at the protocol level.
Transport Security
WSS-Only Connections
All relay communication uses WebSocket Secure (WSS) over TLS 1.3. Plaintext connections are rejected at the protocol level.
Certificate Pinning
The Verdict IDE client pins relay certificates to prevent man-in-the-middle attacks, even on compromised networks.
Authentication & Authorization
OAuth Login
Sign in with your Google or GitHub account. We don't store passwords—authentication is handled by your identity provider.
Device Registration
Each device is registered using a secure device-code flow:
- Your IDE generates a unique device code
- You approve the code at verdictide.com while signed in
- The device receives a long-lived device token
- All subsequent connections use this token
Short-Lived Relay Tokens
When connecting to the relay, your device exchanges its device token for a short-lived relay token. These tokens:
- Expire after 15 minutes
- Are automatically refreshed while connected
- Can be revoked instantly if a device is compromised
- Are bound to a specific user and device
Device Revocation
Lost a device? You can revoke it instantly from Account → Devices. Revocation:
- Invalidates all tokens for that device
- Drops any active relay connections
- Takes effect immediately (no propagation delay)
Access Control
Feature-Based Authorization
Access to Cloud Connect features is controlled by your subscription tier:
| Feature | Free | Pro |
|---|---|---|
| Device registration | 1 device | 5 devices |
| Remote monitoring | Yes | Yes |
| Remote control (pause/resume) | Yes | Yes |
| Companion app access | No | Yes |
Allowlisted Control Actions
The relay only permits a fixed set of control actions:
task.pause– Pause a running tasktask.resume– Resume a paused tasktask.restart– Restart a tasktask.clear_error– Clear an error statesystem.refresh– Request fresh telemetry
Arbitrary command execution is not supported. This is intentional.
Data Privacy
What Data Flows Through the Relay
| Data Type | Flows Through Relay? | Stored? |
|---|---|---|
| Source code | No | No |
| File contents | No | No |
| API keys / secrets | No | No |
| Task status (running/paused) | Yes | No* |
| HUD metrics (tokens, health) | Yes | No* |
| Control commands | Yes | No* |
*Messages are held in memory only while being routed. No persistent storage.
Logging Policy
The relay logs connection events (connect/disconnect) for operational monitoring, but does not log message content. Tokens in URLs are redacted.
Data Retention
- Account data: Retained while your account is active
- Device records: Retained until you revoke the device
- Connection logs: Retained for 30 days
- Message content: Not stored (memory-only routing)
Incident Response
If Your Device is Lost or Stolen
- Go to Account → Devices
- Find the compromised device
- Click "Revoke"
- The device is immediately disconnected and cannot reconnect
If You Suspect Unauthorized Access
- Revoke all devices from Account → Devices
- Sign out of all sessions
- Change your OAuth provider password (Google/GitHub)
- Re-register only devices you control
Reporting Security Issues
Found a vulnerability? Email security@verdictide.com. We take security reports seriously and respond within 24 hours.