Trust & Policy
Security
A conservative security posture for products that are still evolving.

Security
A conservative security posture for products that are still evolving.
Security is part of how people decide whether a product is safe to use, but this page should stay careful about what it claims. Upcube does not use this page to imply certifications, audits, penetration testing, encryption specifics, incident-response guarantees, or compliance programs that were not provided in the repo.
Current security posture
The right public posture here is conservative. Security expectations should grow from actual implementation, reviewed documentation, and current operational truth, not from generic trust-center language.
What security means in this product context
For products like Ethen and related Upcube surfaces, security can involve: Account boundaries Workspace boundaries Permissions and approvals Tool access Prompt and file handling Saved outputs and artifacts Service and infrastructure boundaries Abuse prevention and operational review Those are the areas a future detailed security program would need to explain with evidence.
Tool-aware security
AI products that can use tools or interact with external systems need stronger public discipline than chat-only products. If a tool can act, read, write, or connect outward, users should have a clearer understanding of risk, visibility, and review. That is a product design issue as much as a technical one.
What is not provided
The repo does not provide reviewed details for: Certification status Audit status Compliance scope Encryption specifics Incident-response SLAs Bug bounty or disclosure program details Security contact channels Regional or hosting commitments Enterprise security guarantees Where those facts are missing, this page should say not provided.
How this page should be used
Use it as a high-level explanation of security posture and claim boundaries. Do not use it as proof of certifications, contractual controls, technical architecture guarantees, or formal enterprise readiness.
Relationship to safety and privacy
Security overlaps with safety and privacy, but it is not the same thing as either. A careful public posture should keep those topics related while still describing them separately.
The standard
Claim only what is supported. Keep tool risk visible. Separate direction from proof. Leave missing details marked as not provided. Security language should become stronger only when the underlying evidence becomes stronger.