Security

How Cosyra keeps your code isolated, where it runs, and what happens to your data when you cancel.

Sandboxed

• Per-user Kubernetes namespace. Every account gets its own isolated workspace. You cannot see or reach other users' containers, and they cannot see or reach yours.
• gVisor (runsc) sandbox runtime. Workloads run inside a user-space kernel that intercepts system calls, so a process inside your container cannot directly talk to the host kernel.
• Squid egress proxy. Outbound network traffic from your container goes through a proxy that enforces our outbound rules.
• Least-privilege. Workspace pods run as a non-root user with Linux capabilities dropped.

Azure-hosted

• Workloads run in a Cosyra-controlled Azure AKS cluster. The cluster is single-region and is not multi-tenant with other companies.
• Your data stays in the same Azure region for the lifetime of your workspace.
• All traffic between the app and your container is encrypted in transit.

Cancel anytime

• Subscriptions are cancelled from the App Store or Google Play, the same place you bought them.
• After cancellation, your data persists for 30 days so you can come back or export anything you need.
• After the 30-day window, your workspace is permanently deleted.

Privacy

We do not train AI models on your code, and we do not sell your data. The full Privacy Policy covers what we collect, how long we keep it, and your rights.

Reporting a security issue

If you find a vulnerability, please email hello@portablesoftware.co with details and steps to reproduce. We will acknowledge your report and work with you on a fix.