StackWeavers
Start free

Trust

No lock-in. Ever.

Always yours. Even on paid plans.

StackWeavers commits to three things on every plan, including Free. We don't train on your code, the code lives in your cloud, and the code is structured so other developers and other agents can pick it up. Privacy, ownership, and portability are defaults, not upsells. Walk away whenever you want. Your code keeps working.

Privacy

No training on your code. No fine-tuning on your data. Zero retention with model providers. Default on every plan, including Free.

Ownership

Your code, your schemas, your infrastructure, your deploy. The platform runs in your cloud. We never see production.

Portability

The code is structured so other developers and other agents can pick it up. Real conventions, real tests, real documentation. The day you outgrow us, your codebase doesn't fight you.

You own what we build.

All applications, code, schemas, deployment artifacts, and platform-resident IP generated through StackWeavers belong entirely to you.

That's not a clause buried in legal. It's a top-level commitment we'll repeat in the MSA, the DPA, the technical implementation, and every conversation we have. It's what's increasingly called sovereign AI: you keep sovereignty over the code, the data, and the keys, because the work runs in your cloud and is never trained on.

Zero Trust — by architecture, not policy.

Most vendors ask you to trust them with your code. We removed the ask.

Your code and data never leave your cloud. We don't get a copy, a cache, or production access. There's nothing for us to leak, lose, or have subpoenaed — because we never had it in the first place. Trust isn't a promise; it's a constraint we built ourselves into.

Baseline security, today.

  • • TLS encryption in transit via the cloud providers we deploy into.
  • • AES-256 encryption at rest via the same providers.
  • • No training on your code, on every plan.
  • • Audit logging on Team and Enterprise plans.
  • • Vulnerability disclosure at /.well-known/security.txt.

Where your data lives.

You pick the region. We deploy into it. The platform doesn't move your data anywhere else.

EU & UK — sovereignty-first

AWS, GCP, and Azure EU regions today. Scaleway and OVHCloud on the roadmap for fully EU-domiciled deploys with no US-jurisdiction dependency at the infrastructure layer. GDPR DPA and UK DPA available. For the broader EU-cloud landscape see european.cloud.

United States & Canada

AWS, GCP, and Azure regions across all US and Canada locations. HIPAA eligible on Enterprise with a BAA. FedRAMP track on the roadmap, demand-led.

Middle East & North Africa

AWS Bahrain and UAE regions, Azure UAE. Data-residency routing for GCC and MENA compliance on the roadmap.

Asia-Pacific

AWS, GCP, and Azure regions across APAC. Local compliance posture per region; Singapore, Sydney, Tokyo, and Mumbai supported today.

Advanced data protection, in pipeline.

For regulated industries and high-sensitivity workloads, the next wave of security capabilities is already scoped (Phase 3, Enterprise GA):

  • • PII detection and automated masking in logs, prompts, and outputs.
  • • Customer-managed encryption keys (CMEK). Customer holds the key. Platform never sees it.
  • • Field-level encryption for sensitive columns (PHI, payment data, regulated identifiers).
  • • Data-residency routing for GDPR / UK DPA / local compliance.
  • • Expanded certifications: HIPAA, ISO 27001, FedRAMP track for public sector.

Audit-ready artifacts.

We can produce a security-and-due-diligence summary covering our current posture and compliance roadmap (ISO 27001, HIPAA) on request. Email security@stackweavers.com.

See the technical detail →Talk to security

Trust FAQ

Do you train AI models on our code?
No. Not on any plan. No fine-tuning on customer data. Zero retention with the model providers we use. Default behavior on Free, Pro, Team, and Enterprise.
Where does our code physically live?
In your Git provider and your cloud account. The platform deploys into your AWS, GCP, or Azure accounts. We don't host your production.
What about model API calls? Does the data leave our environment?
In BYOK mode, your model provider sees the prompts and outputs and no other party does. In managed mode, the platform proxies model calls under our zero-retention contract with the provider. Either way, the customer holds the model keys on Enterprise.
What certifications do you have?
Our strongest answer is structural, not a logo: your code runs in your own cloud, on your keys, and we never train on it. ISO 27001, HIPAA, and a FedRAMP track are on the compliance roadmap. Baseline encryption (TLS in transit, AES-256 at rest) is in place today via the cloud providers we deploy into.
Do you offer a DPA?
Yes. A standard DPA is available at /legal/dpa. Custom redlines on Enterprise.
What happens if we outgrow you?
Your code is documented and conventional. Hand it to another team or another agentic platform. The migration cost is the same as moving between any two engineering teams: the orientation time of the new owner. That's the portability promise.

Build what you want. Own what you build.

Start building freeBook a demo