← Home Launch sandbox
security & trust

Exactly what Qeau does
on your infrastructure.

No black box. Qeau deploys over an outbound SSH connection with a key you control, runs as a non-root user you choose, and writes your secrets to memory — never disk. Here's the whole model.

The short version

  • Outbound only. Qeau connects out to your host over SSH. There's no inbound port to open and no always-on daemon you have to trust.
  • Your key, your user. You provide the SSH key and the login user. Qeau runs as that user — not root unless you grant it.
  • Secrets never touch disk. The on-host agent fetches resolved env at process start and hands it straight to your app's memory. Nothing is written to the filesystem.
  • Revocable in one move. Rotate the key or remove the host and Qeau's access is gone immediately.
  • Everything is audited. Every action is logged (UTC, RFC-3339) and can stream to your SIEM.

How Qeau accesses your host

A deploy is a short-lived, outbound SSH session. Qeau holds your key server-side and never ships it to the browser. Here's the full sequence — nothing more runs on your box than what's listed:

Connect. Qeau opens an outbound SSH session to the host + user you registered, authenticating with the key you provided. A 20-second handshake timeout means a stalled host fails fast, not silently.

Fetch code. It clones your repo at the chosen branch (via your Git OAuth grant — Qeau never asks for your Git password).

Build. It runs the build command you configured, with a content-hashed cache so unchanged dependencies aren't rebuilt.

Release. It starts your app under PM2 and performs a zero-downtime blue-green swap via a current symlink — the old release stays until the new one is healthy, so rollback is instant.

Route (optional). If you set a custom domain, it writes an NGINX vhost for it. Nothing else touches your web server.

# Want to revoke? Rotate the registered key or delete the host in Qeau — the next deploy simply can't connect.

Secrets that never touch disk

Most platforms drop a plaintext .env on your host. Qeau doesn't have to.

# your pm2 / systemd unit launches the app through the agent qeau-agent -- node server.js # at start, the agent fetches the app's resolved env from the Qeau API # (authenticated by an app-scoped token), then exec()s your command # with those vars in memory. Nothing is written to the filesystem; # the secrets are gone the moment the process exits.

Memory-only

Secrets live only in your process's environment. No .env on disk, nothing for a backup or a curious user to read.

Metadata-only UI

The dashboard shows secret keys and rotation dates — never values. Plaintext never leaves the orchestrator toward the browser.

Per-environment

Dev, staging and prod each carry their own secret set, scoped and rotated independently.

Audited rotation

Every rotation is recorded with a timestamp, so the SOC 2 evidence pack can prove your secret hygiene.

Identity & access

Least privilege, end to end — for the people in your workspace and the platform itself.

Workspace-enforced MFA

Require TOTP across the workspace; members are gated until enrolled, on password and SSO logins alike.

SAML SSO & SCIM

Sign in with your IdP; joiners and leavers sync automatically so access maps to your directory.

Custom RBAC

Granular, custom roles plus deploy approvals and IP allowlists — segregation of duties by design.

Hardened sessions

httpOnly cookie sessions, single-use tickets for log streaming, and TOTP-gated staff access on our side.

Platform hardening

The controls we hold ourselves to, so your trust isn't just in our intentions.

Signed, attestable builds

Every release image is keyless-signed with cosign and ships an SBOM — you can verify exactly what's running.

Locked-down runtime

Read-only root filesystem, all Linux capabilities dropped, and no-new-privileges on the orchestrator.

Database & transport

PostgreSQL pinned to SCRAM-SHA-256 auth; TLS in transit; a strict CORS allowlist and Content-Security-Policy.

Keyless cloud identity

Object storage via workload identity — no long-lived cloud keys sitting in config.

Compliance & assurance

We'd rather be precise than buzzword-y. Here's exactly where we stand.

SOC 2 evidence, built in

One click exports the records auditors ask for — access reviews, approvals, rotations, quotas — mapped to CC controls. Current attestation status available on request.

Continuous controls

The controls engine checks your projects continuously and surfaces drift before an assessor would.

Data residency

Pin workloads to regions with per-workspace identity boundaries to meet residency requirements.

Audit & SIEM

Immutable, RFC-3339 audit logs streamed to your SIEM for retention and alerting.

# For our current SOC 2 attestation status, a DPA, or our latest penetration-test summary, email security@qeau.tech — we'll share under NDA.

Report a vulnerability

Found something? We want to hear from you. Email security@qeau.tech with details and a way to reproduce. We acknowledge reports quickly and work disclosure in good faith — no legal action for good-faith research.

See it for yourself.

The sandbox runs the full governance stack on a live host — inspect the audit log, the evidence pack, and the deploy pipeline yourself.

▶ Launch the sandbox Talk to security