Wrapd routes commands to your infrastructure. We take that responsibility seriously. This page describes how we protect your data at every layer.
Understanding the architecture is key to understanding the security model.
The Wrapd agent is a compiled binary that runs on your infrastructure. Commands execute locally on the machine where the agent is installed. We never have shell access to your systems.
Our tunnel server routes messages between callers and your agent over authenticated WebSocket connections. Command outputs stream through but are not persisted. We store only execution metadata (exit codes, duration, byte counts).
Cloud Runner containers have no network egress, read-only root filesystems, process limits (256 PIDs), CPU/memory cgroups, and run as a non-root user. Containers are destroyed after each execution.
All connections use TLS 1.2+. Agent WebSocket connections are encrypted end-to-end. API calls, dashboard access, and tunnel traffic are served over HTTPS with automatic certificate management.
Managed secrets are encrypted with AES-256-GCM using a dedicated encryption key before being written to the database. Slack OAuth tokens are encrypted with the same standard. We cannot read your secret values.
API keys and agent tokens are stored as SHA-256 hashes. The plaintext token is shown once at creation and never stored. Even with full database access, tokens cannot be recovered.
We use magic link authentication — no passwords to leak, phish, or reuse. Login tokens expire after 15 minutes and can only be used once. Sessions are issued as signed JWTs with 7-day expiry.
API keys can be scoped to specific endpoints. Callers can only execute the endpoints their key is authorized for. Keys can be rotated with configurable grace periods for zero-downtime rotation.
Team members are assigned roles (owner, admin, member) with granular permissions. Members can execute endpoints but cannot create, modify, or delete them. Audit logs track every action with actor attribution.
Teams can configure SAML 2.0 SSO with their identity provider. Email domain matching ensures users are routed to SSO login automatically. Centralized access control through your IdP.
Endpoints marked as privileged require team owner or admin authorization to execute. Team members with API keys get a 403 on privileged endpoints, preventing accidental execution of destructive commands.
Endpoints can require approval before execution. Approval requests are sent via email with one-click approve/deny links. Requests expire after a configurable timeout.
The AI generation system blocks commands containing dangerous patterns: rm -rf, mkfs, dd if=, chmod 777, curl|bash, fork bombs, and raw device access. These filters apply to AI-generated commands — you remain in full control of manually created endpoints.
Inline arguments (${name}) are shell-escaped before substitution. Arguments with control characters are rejected. Commands without inline args use direct execution (no shell) to prevent injection.
Redis-backed sliding window rate limiting protects against abuse. Tier-based limits (30/120/600 RPM) apply to executions. Auth endpoints have separate per-IP limits. Rate limit headers are included in every response.
Every execution has a configurable timeout (tier-limited: 60s/30min/1hr). The agent kills the process on expiry with exit code 124. Cloud Runners enforce hard container timeouts at the infrastructure level.
Execution logs (metadata only) are retained for 30 days. Command outputs are streamed and not persisted. Health check events are pruned to 1,000 per endpoint. Audit logs are retained for 90 days.
You can export all your data (endpoints, pipelines, configurations) at any time via the API. We support your right to data portability under GDPR and similar regulations.
You can permanently delete your account and all associated data from your account settings. Managed secrets are deleted immediately. All other data is purged within 30 days.
We do not use your endpoint configurations, command content, or execution data to train AI models. AI generation prompts are sent to Anthropic's API under their commercial terms, which prohibit training on API inputs.
The Wrapd platform runs on dedicated infrastructure with encrypted storage, private networking between services, and automated backups. Database access is restricted to application services within the private network.
We pin dependency versions and review updates. The agent is distributed as a compiled binary with SHA-256 checksum verification. Auto-updates verify checksums before applying.
If you discover a security vulnerability in Wrapd, please report it responsibly to security@wrapd.sh. We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
Please do not disclose vulnerabilities publicly until we have had a reasonable opportunity to address them. We will not take legal action against security researchers who act in good faith.
For security questionnaires, compliance inquiries, or to request a copy of our DPA, contact security@wrapd.sh.