Security at AI Expedite

Security you can read

Workspace-isolated, encrypted by default, with a signed terminal that runs nothing without you knowing.

Built on Google Cloud · signed for macOS and Windows

What this page is about

Four properties we hold to

AI Expedite runs alongside the systems you trust most — your codebase, your analytics, your Gmail, your cloud projects. These four properties are the floor we design every feature against.

Workspace isolation

Every document and artifact is scoped to a workspace and gated by server-side rules — no shared blast radius between accounts.

Encrypted by default

TLS in transit with HSTS preload. Google-managed encryption at rest for every Firestore document and storage object.

Signed terminal app

Code-signed for macOS and Windows. Commands run only from an allowlist or after you approve them in a native OS dialog.

You stay in control

Narrow OAuth scopes you can revoke anytime. Source-available terminal you can audit before you trust it.

How it works

What the platform actually does

Step 1 — Authentication & access

Identity verified on every request

You sign in with Firebase Authentication. Every API call re-verifies your ID token, including a revocation check — so disabling a user takes effect immediately, not at the next token expiry.

Our backend microservices talk to each other with Google-issued OIDC identity tokens that are audience-bound to the receiving service. A token aimed at one service is rejected by every other service. Tokens cannot be replayed sideways.

Under the hood

  • Firebase ID tokens with server-side revocation checks
  • Audience-bound OIDC for every service-to-service call
  • Firestore Security Rules enforce workspace membership server-side
  • Path allowlist on the API proxy prevents SSRF and lateral movement

Step 2 — Your data

Encrypted, isolated, durable

Traffic to AI Expedite is served over HTTPS with HSTS preload. Your Firestore documents, uploaded artifacts, execution logs, and backups are encrypted at rest by Google Cloud's managed key infrastructure.

When an agent runs, the relevant prompt and context are sent to an AI provider (Anthropic, OpenAI, Google) for inference — over their commercial API endpoints, whose terms exclude using customer inputs to train their models.

We do not train models of our own on your data.

What we store and log

  • Firestore + Cloud Storage on Google Cloud, encrypted at rest
  • Point-in-time recovery plus regular exports to Cloud Storage
  • Long-running agent work is checkpointed and resumable across deploys
  • Logs capture metadata only— no request bodies, no API keys, no file contents

Step 3 — The terminal app

Nothing runs without you knowing

The terminal is a local app that lets our agents execute work on your machine — your codebase, your shell, your tools. It's the part of the product we've spent the most time hardening.

Every command the agent wants to run is checked against an allowlist of safe-by- default operations (the common shape of git, npm, build tools, container tools, cloud CLIs). Anything outside the allowlist surfaces a native OS approval dialog with the exact command before it runs — you approve once, approve as a pattern, or deny.

Arguments are normalized before matching, so a newline or chained operator can't smuggle a second command through. Your code is read into the agent context only when the agent explicitly asks — never as a background scan.

The default posture is restrictive. The agent cannot run an arbitrary command on your machine.

What the terminal guarantees

  • Code-signed binaries— macOS notarized, Windows Authenticode
  • Allowlist + native approval dialog for anything outside it
  • Argument normalization blocks newline / chained-command smuggling
  • No background filesystem scan— files are read only on explicit request
  • Source-available on GitHub— auditable before you trust it (proprietary license, no redistribution)

Step 4 — Third-party integrations

Narrow scopes you can revoke

We connect to GitHub, Gmail, Google Calendar, Jira, Linear, Confluence, Google Cloud, and the social and ad platforms we support. Every integration uses the provider's official OAuth flow with three properties we hold to.

We request only the permissions an integration actually needs — including restricted scopes (like Gmail's) over their broader read-all variants wherever the provider offers them. The handshake is CSRF-protected by an HTTP-only same-site state cookie that expires in ten minutes.

You can disconnect any integration from inside AI Expedite, and you can revoke our access from the provider's own settings at any time.

OAuth properties

  • Narrowest available scopes per provider, documented per integration
  • State cookie: httpOnly, sameSite=lax, 10-minute TTL
  • Tokens stored in Firestore, encrypted at rest by Google
  • Revocable two ways: from inside AI Expedite or from the provider directly
Your code stays on your machine. Your data stays in your workspace. Your tokens stay revocable.

How we think about it

The shortcuts other platforms take, and the choices we made instead.

The easy path

  • Long-lived shared service tokens
  • Terminal apps with full filesystem access
  • Broad OAuth scopes — everything-at-once
  • Logs that capture request bodies and headers
  • Compliance claims without the evidence

AI Expedite

  • Audience-bound OIDC tokens — one per request
  • Command allowlist with explicit OS-level approval
  • Narrowest scopes the provider offers (e.g. restricted Gmail)
  • Structured logs of metadata only — no bodies, no keys
  • Honest framing: aligned with frameworks, not falsely certified

Most platforms ask you to trust them.

AI Expedite lets you verify.

Supply chain and code health

The same standard applies to our own code: nothing reaches production without going through these gates.

  • Dependency monitoring. Dependabot keeps every service current with grouped weekly updates. Lockfiles committed.
  • Static analysis. ESLint with security rules and CodeQL run on every pull request.
  • Container scanning. Trivy gates promotion on high and critical CVEs in service images.
  • Secret detection. Gitleaks runs in CI so accidentally-committed credentials never reach a merged branch.

Compliance posture

AI Expedite is a young product built by a small team. We have designed our security controls against the SOC 2 Trust Services Criteria and the privacy principles in GDPR and CCPA, and we use those frameworks as the standard we hold ourselves to.

We are not currently SOC 2, ISO 27001, or HIPAA certified. We don't want to imply otherwise on the way to building toward those certifications. If you need a specific attestation for a procurement review, write to us — we'll be honest about what we can and cannot provide today.

Found something? Tell us first.

We appreciate responsible disclosure and will engage in good faith. Acknowledgement within two business days; a substantive update within seven.

Email security@aiexpedite.comRead our Privacy Policy

Last updated: May 2026 · This page reflects our current practices and will be revised as they change.

AI coding agents have access to the most sensitive surfaces a developer touches — their codebase, their shell, their cloud credentials. The security model needs to be more than a checklist of trust badges; it has to be something a careful reader can verify before they grant access. Security for AI coding agents is the security page for AI Expedite, written for the developer who's about to install the terminal app and wants to know exactly what it can do.

What the threat model actually is

The risk surfaces of an AI coding agent fall into three buckets: (1) command execution — the agent runs something on your machine that you didn't intend; (2) data exfiltration — code, secrets, or environment values leak through the agent's context to a model provider or a third party; (3) integration creep — OAuth tokens issued for one purpose get reused for another. AI Expedite's controls are organized around each of those buckets, and the security page walks through each control with the specific implementation behind it.

Command execution: allowlist + native approval

The terminal app maintains an allowlist of safe-by-default commands (the common shape of git, npm, build tools, container tools, cloud CLIs). Anything outside the allowlist surfaces a native OS approval dialog with the exact command before it runs. Arguments are normalized before matching, so a chained operator or newline can't smuggle a second command through. The agent cannot run an arbitrary command on your machine.

Data: encrypted, isolated, never used for training

Traffic to AI Expedite is HTTPS with HSTS preload. Documents, artifacts, logs, and backups are encrypted at rest by Google Cloud's managed keys. Customer code, content, and data are not used to train any AI Expedite model, and the commercial API endpoints we use (Anthropic, OpenAI, Google) contractually exclude customer inputs from their training data too. Logs capture metadata only — no request bodies, no API keys, no file contents.

Integrations: narrow scopes, revocable two ways

Every third-party integration uses the provider's official OAuth flow with the narrowest available scopes — restricted Gmail over read-all, repository-level GitHub permissions over org-wide. Tokens are encrypted at rest in Firestore. You can disconnect any integration from inside AI Expedite, or revoke it from the provider's settings; either path takes effect immediately.

Security FAQ

It's source-available on GitHub under a proprietary license — you can read every line before installing, but it's not redistributable. The signing and notarization are tied to AI Expedite's developer accounts.

The terminal app's allowlist of approved commands doesn't include destructive filesystem operations by default. Any command outside the allowlist requires native OS-level approval — you see the exact command and grant once, grant as a pattern, or deny.

No. AI Expedite does not train models of its own on customer code, content, or data. The third-party API endpoints we use (Anthropic, OpenAI, Google) exclude customer inputs from training under their commercial terms.

Not currently. We design against the SOC 2 Trust Services Criteria and the privacy principles in GDPR and CCPA, but we don't claim certifications we haven't completed. If you need a specific attestation for a procurement review, contact us — we'll be honest about what we can and cannot provide today.

Workspace contents are removed from our active data stores immediately and from backups within the standard Cloud Storage retention window. OAuth tokens are revoked at the provider during the same flow. We retain the minimum required for billing records under applicable law.

Email security@aiexpedite.com. We acknowledge within two business days and provide a substantive update within seven. We treat responsible disclosure as an act of trust and engage in good faith.

Related workflows

Claude Code orchestration

Drive Claude Code across every machine on your team — queued, reviewed, and merged with full project context.

AI code review agents

Get human-quality pull request reviews on every change — context-aware, codebase-trained, and posted back to GitHub.

Multi-agent software delivery

Run a fleet of AI coding agents in parallel — planning, building, reviewing, and shipping across your whole team.