Trust & Security

The right mindset

Skua is a sharing tool, not a vault. It's built for the outputs of your work – the chart you'd put in a slide deck, the table you'd paste into Slack. If you wouldn't email it to a colleague, don't snap it.

We take security seriously and have built real protections (detailed below), but we also believe in being straight with you: any time you put data on a third-party service, you're trusting that service. We want to earn that trust by being transparent about what we do and don't do.

Snapshot URLs are unguessable

Every snapshot gets a 12-character ID generated using secrets.choice() from Python's cryptographic random module. The alphabet is base62 (a–z, A–Z, 0–9), giving each ID 71.5 bits of entropy – over 3 sextillion possible combinations.

IDs have no sequential or time-based component. Knowing one ID tells you nothing about any other. At the rate of 1 billion guesses per second, it would take over 100,000 years to find a single valid ID by brute force – and our rate limiting would block you long before that.

That said, URLs are not passwords. Anyone who has a snapshot URL can view it. Don't share the URL with people you wouldn't want to see the content.

Access model

Skua uses a capability-based access model: the URL is the credential. This is the same model used by Google Docs "anyone with the link" sharing, Figma share links, and most file-sharing services.

• Public snapshots appear on your profile page and are viewable by anyone with the URL
• Private snapshots (verified accounts only) are hidden from your profile but still accessible via URL – "private" controls discoverability, not access

There is no login-gated viewing. This is by design – it means you can share a URL with anyone (including people who don't have a Skua account) and it just works. The tradeoff is that if a URL leaks, the content is visible. If you need login-gated access control, Skua isn't the right tool for that content today.

Authentication

Sessions are token-based. Your token is stored locally on your machine at ~/.skua/session (anonymous) or ~/.skua/token (verified).

• Tokens are hashed with SHA-256 before storage – the server never stores your raw token
• Email verification tokens are single-use and expire after 15 minutes
• No cookies are used – the Python client sends your token via an HTTP header

Encryption

In transit: all connections use HTTPS/TLS with Let's Encrypt certificates. HTTP requests are redirected to HTTPS. HSTS is enabled with a 1-year max-age. HTTP/2 is supported.

At rest: snapshot data and the PostgreSQL database live on encrypted block storage on a dedicated Hetzner VPS in Ashburn, Virginia (US East). We do not currently offer client-side encryption – data is encrypted by the infrastructure, not by the application.

Security headers are set on all responses: X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security.

Rate limiting & abuse prevention

Two layers of rate limiting protect the service:

• Request rate limits – 60 uploads per minute, 200 per hour (burst-friendly for notebook "Run All" workflows). Read endpoints allow 1,000 requests per hour.
• Failure-based blocking – 20 failed requests (404s, invalid IDs) in 5 minutes triggers an automatic IP block with escalating durations: 10 minutes, 1 hour, then 24 hours for repeat offenders.

Nginx enforces a 10 MB upload cap and a 10 requests/second rate limit before traffic reaches the application.

Data retention

• Anonymous: snapshots expire after 7 days
• Verified: 90-day retention, resetting on each update, with a 1-year maximum

An automated cleanup process runs hourly. When a snapshot expires, both the database record and the stored file are permanently deleted – storage first, then database, so no orphaned files remain accessible.

What we collect

No tracking cookies. No telemetry from the Python package. No user agents or referrers logged. Website analytics via Fathom (privacy-focused, cookieless, GDPR compliant).

What we do collect – the minimum needed to operate:

• Your uploaded content – exactly what you pass to skua.snap()
• IP address – for rate limiting and abuse prevention only, not linked to identity
• Email – only if you verify, used only for sending your token
• Metadata – timestamps, content sizes, view counts

Input validation

All input is validated at multiple layers – the Python client validates locally for fast feedback, and the backend re-validates everything with Pydantic models regardless of what the client sends. Database queries use parameterized statements via SQLAlchemy (no string interpolation, no SQL injection risk). CSV exports sanitize cells that start with formula characters (=, +, @) to prevent injection in spreadsheet applications.

Open source client

The Python package is open source (MIT License). You can read exactly what data the client sends, how it serializes your objects, and what HTTP requests it makes. There are no hidden analytics, no phone-home calls, no data collection beyond what's needed to upload your snapshot.

Our recommendation

Skua is a good fit for:

• Charts and visualizations you'd present to your team
• DataFrames and tables with non-sensitive business data
• Analysis results, model outputs, experiment summaries
• Anything you'd put in a slide deck or Slack message

Think twice before uploading:

• PII, health records, or financial data covered by regulation
• Credentials, API keys, or secrets
• Proprietary data your employer restricts from third-party services
• Anything where URL-based access isn't sufficient

When in doubt, ask: "Would I be comfortable if this URL were forwarded to someone I didn't intend?" If yes, snap it. If not, keep it local.

Continuity

Skua is built and operated by one person. If Skua ever shuts down, I'll give at least 30 days notice and keep read access available during that window so you can save anything you need. The Python client is open source and your snapshots are always accessible via their URLs for as long as the service runs.

Security questions or concerns? Contact hello@skua.dev.