Your signing keys are the crown jewels. We treat them that way.
Ubriot holds the credentials that can publish your app. Here is how we protect them, in plain terms, with no overclaiming.
Credentials are encrypted at rest
Signing certificates, App Store Connect keys, and Google Play service accounts are encrypted before storage and decrypted only inside a build that needs them.
Per-app, least-privilege scoping
Each credential is scoped to the app and owner it belongs to. A build can only reach the secrets for the app it is building.
Isolated build execution
Builds run in isolated workers. Artifacts and logs are tied to the build that produced them and are not shared across accounts.
Authenticated access throughout
Dashboard and API access is authenticated, and integration endpoints require their own scoped tokens.
Reporting a vulnerability
If you believe you have found a security issue, please email security@ubriot.dev with details and steps to reproduce. We will acknowledge your report and keep you updated while we investigate. Please give us a reasonable window to fix an issue before any public disclosure.
Questions about security?
Enterprise teams can request more detail on our controls.