Skip to main content
Alpha Cyanea is in public alpha. We're building in the open — expect rough edges and rapid iteration. See what's live

Security & Data

How Cyanea handles your data, what's encrypted, and what you should know before uploading sensitive research.

Security & Data Posture

Cyanea is in public alpha. This page explains how the platform handles data today and what you should consider before using it for your research.

Authentication

  • Email + password — bcrypt-hashed, stored in the database. Available on all instances.
  • ORCID OAuth — Researcher identity via ORCID. Links your ORCID iD to your Cyanea account.
  • API keyscyn_-prefixed tokens, SHA-256 hashed at rest. Scoped (read / write / admin).
  • JWT sessions — 1-hour TTL, issued via email+password at the API auth endpoint.

Encryption

  • In transit — All connections to app.cyanea.bio use TLS (HTTPS).
  • At rest — File storage on the hosted hub uses S3-compatible storage with server-side encryption. Self-hosted instances control their own encryption posture.
  • API keys — Hashed with SHA-256 before storage. Raw tokens are never persisted.
  • Passwords — bcrypt hashed with salt.

Data Residency

  • Hosted hub (app.cyanea.bio) — Data is stored on infrastructure managed by Cyanea, Inc. Currently hosted on Fly.io (US regions) with S3-compatible storage.
  • Self-hosted — You control everything. Data stays on your infrastructure. Cyanea’s open-source node has no telemetry and no phone-home behavior.

What Federation Shares

Federation is opt-in and selective. When enabled:

  • Manifests — Metadata about spaces (name, description, content hash, revision number). Signed with optional node keys.
  • Blobs — File content is synced between nodes only when explicitly pushed/pulled. Content-addressed via SHA-256.
  • Nothing is shared by default — Federation requires setting federation_policy: "full" on a space and registering remote nodes.

What Cyanea Is Not Ready For (Yet)

Be honest with yourself about these limitations:

  • Human subject data / PHI — Cyanea is not HIPAA compliant today. Do not upload protected health information to the hosted hub. HIPAA compliance is planned for the Enterprise tier.
  • Regulated environments — No SOC 2, no BAA, no audit logging export yet. These are on the roadmap.
  • Data durability guarantees — The hosted hub is in alpha. While we back up data, we don’t yet offer an SLA. For critical data, self-host or keep copies elsewhere.

What Cyanea Is Good For Today

  • Public / open research data — Datasets, protocols, and notebooks you intend to share openly.
  • Non-sensitive analysis — Bioinformatics workflows on public reference data (gnomAD, 1000 Genomes, ENCODE, etc.).
  • Teaching and learning — Browser-based WASM notebooks with no server-side data exposure.
  • Self-hosted internal use — For private data, run your own instance. No artificial restrictions.

Responsible Disclosure

If you find a security vulnerability, please email security@cyanea.bio. We take security reports seriously and will respond promptly.

Questions?

If you’re unsure whether Cyanea is appropriate for your use case, get in touch. We’d rather you ask than assume.