Last updated · 2026-06-27

Security

How we protect the platform and your data, and how to report a vulnerability. For the personal data we collect and your rights over it, see our Privacy Policy; for how we process data on your behalf, our Data Processing Agreement.

Platform

Every customer workload runs in its own Firecracker microVM — a real virtual machine with its own kernel, not a shared-kernel container. Each tenant's VMs and network are isolated from every other tenant, and automatic controls limit network egress and block access to other tenants and to platform internals. Access to production systems is restricted, held by a single administrator, and recorded in append-only audit logs.

Your data

Your VMs, their backups, and your account and billing data are all hosted in the EU. Superjolt is operated by a UK company (Superjolt Limited, the data controller). We don't read the contents of your VMs. Traffic is encrypted in transit and sensitive credentials are encrypted at rest. We take regular backups — retention details are in our Privacy Policy. We use a small set of vetted subprocessors; a current list is available to customers on request.

Compliance

We're aligned with the UK and EU GDPR. You can export your data and delete your account yourself from the dashboard at any time, which destroys your VMs and removes your tenant data. We don't currently hold a formal third-party security certification; we'll update this page if that changes.

Responsible disclosure

We take security reports seriously. This section tells you where to send them, what we'll look at, and what to expect.

Reporting a vulnerability

Email [email protected]. Include:

  • A clear description of the issue and where it lives.
  • Steps to reproduce — a short script or curl command beats a screenshot.
  • The impact you think it has (data exposure, privilege escalation, denial of service, etc.). A CVSS vector is welcome but not required.
  • Your name or handle if you'd like credit.

Please don't open public GitHub issues for security findings.

Scope

In scope:

  • superjolt.com (marketing site)
  • dashboard.superjolt.com (the customer dashboard)
  • api.superjolt.com (the platform API)
  • admin.superjolt.com (the operator console)
  • mcp.superjolt.com (the MCP gateway)
  • *.superjolt.host (the per-VM edge layer)
  • The Superjolt CLI and the published MCP server

Out of scope:

  • The contents of customer VMs and the code customers deploy to them — those belong to the customer.
  • Findings against our upstream infrastructure and third-party service providers — please report those to the provider directly.
  • Volumetric denial-of-service testing. Don't.
  • Social-engineering attacks against Superjolt staff or customers.
  • Findings that require access to a customer's already-compromised account or device.

Safe harbor

If you act in good faith, stay within scope, and avoid privacy violations or service disruption, we will not pursue or support legal action against you. "Good faith" means: only access data that is your own, stop as soon as you've proved the issue, give us a reasonable window to fix it before disclosing publicly.

What to expect

  • Acknowledgement. We'll confirm we received your report within a few business days.
  • Triage. We'll come back with a severity assessment and a rough plan within a couple of weeks.
  • Fix and disclosure. Once a fix is shipped we'll let you know. We're happy to coordinate a public disclosure timeline that works for both of us.

Credit

We don't run a paid bug bounty yet. We're happy to credit researchers on this page on request — let us know in your report whether you'd like to be named, and how.

security.txt

The machine-readable version of this contact lives at /.well-known/security.txt per RFC 9116.