Security Overview

SeaWise is designed with security as a core principle. Here's how we keep your data and services safe.

Outbound-Only Architecture

The most important security feature: SeaWise never connects into your network.

Your SeaWise client makes an outbound connection to SeaWise — the same direction as browsing the web. SeaWise cannot:

• Push commands to your client

• Initiate connections to your network

• Access services you haven't explicitly registered

• See or modify data on your local network

Your Server  ──outbound──>  SeaWise  <──inbound──  Visitor

Your server reaches out. Visitors connect to SeaWise. SeaWise relays traffic between the two. At no point does SeaWise reach into your network.

Encrypted Connections

• All traffic between your client and SeaWise uses TLS encryption

• All public service URLs use HTTPS with valid certificates

• Certificates are managed automatically

Authentication

• Passwordless login — sign in with a magic link sent to your email. No passwords to leak or guess.

• Pairing codes — servers are connected via a time-limited device pairing flow, similar to signing into a streaming app on a TV

• Token security — authentication tokens are stored as cryptographic hashes (SHA-256), not in plain text

Access Control

• Dashboard sharing uses an explicit email whitelist — only people you add can see your dashboards

• Each service tunnel requires a valid, authenticated connection

• Subdomains can only be claimed by verified token holders

Data Handling

• We collect the minimum data needed to operate the service

• Session tokens are hashed before storage

• Sensitive data is never logged

• You can export all your data or delete your account at any time (see Privacy)

What SeaWise Cannot Do

Responsible Disclosure

If you discover a security issue, please email [email protected]. We take all reports seriously and will respond promptly.