Modelcore
Request beta
Security

Security and privacy, as implemented today.

Modelcore is in early beta. This page summarizes the current product posture: sign-in, project access, data handling, and current limits.

At a glance

Practical safeguards

Grounded in the current product and Privacy Policy.

Account security

Sign-in runs through AuthKit, Google, or Microsoft OAuth. Modelcore does not store raw account passwords.

Project access

Project routes require sign-in and beta access. View, edit, and admin checks run per project.

Realtime collaboration

Multiplayer uses the same session auth as the API and checks edit access before command publishing.

Data storage

A database stores account and project records. Snapshots and thumbnails use object storage.

Privacy posture

We do not sell personal information. Analytics are designed for events, IDs, counts, and enums, not project geometry.

Early beta limits

Early beta means no SOC 2 certification or regulated-industry compliance claim today.

Data handling

How Modelcore handles your data

A plain-English summary. The Privacy Policy remains the source of truth.

Account data

Email, optional name/avatar, and provider identity details are used to create and link accounts.

Project content

Modelcore stores and processes your projects, saved states, previews, and imports/exports so the app can save, load, preview, and sync your work. Preview image links are temporary.

Collaboration metadata

Presence, view state, locks, and sync messages power multiplayer. Active collaborators may see your display name, avatar, and presence.

Analytics and logs

Operational logs are typically retained for 90 days. Analytics are typically retained for 12 months under current settings.

Feedback

Feedback includes what you submit plus context metadata. IP address and user agent are stored as salted hashes for abuse prevention and rate limiting.

AI automation

If you use AI automation, prompts go through the Modelcore API to the configured provider. Tool calls, results, and snapshot workflows may include modeling metadata or geometry.

Product safeguards

Controls in the app and API

  • Session cookies are httpOnly, SameSite=Lax, and secure in production.
  • State-changing API requests include origin checks and CSRF protections.
  • Project authorization is shared by REST and realtime edit flows.
  • Realtime has connection and message rate limits plus frame size caps.
  • Production configuration is validated before startup.
Current limits

What we do not claim yet

  • No SOC 2 certification yet.
  • No regulated-industry compliance claims today.
  • No public bug bounty or formal incident SLA yet.
  • No separate subprocessors page today; provider categories live in the Privacy Policy.
Questions or data requests

We keep it readable.

Read the full Privacy Policy and Terms or email support@modelcore.app