Skip to content

Security by design.

We audit other people's security. The bare minimum is to hold our own standards.

Scan isolation

Each scan runs in an ephemeral Docker container started with --network=none. No internet access, no access to other scans, no access to the orchestrator. Temp filesystem destroyed right after findings extraction.

Encryption

TLS 1.3 in transit. AES-256 at rest on Postgres and R2 (Scaleway managed). Secrets handled by the Scaleway secret manager, never in plaintext in DB.

Hosting

Scaleway Paris (DC3). 100% EU. No non-EU sub-processor in the scan pipeline. Anthropic Claude (AI triage) is the only exception, opt-in: see AI triage.

AI triage (opt-out)

When AI triage is enabled (Standard tier and up), only consolidated findings are sent to Anthropic Claude: CWE, file:line, 5-line max snippet. No secrets, no full code, no client data. Disable with no extra cost.

Auth & MFA

Opaque Redis sessions. JWT for API. TOTP MFA available. RBAC across 4 roles (owner / admin / member / viewer). Immutable audit log.

DPA & GDPR

DPA available on request for Premium and Studio tiers. Sub-processors listed, right to erasure, retention configurable per tier.