Trust & privacy

Code retention policy

We don't store your source code after the scan. Your zip is extracted in memory or in a temporary directory only during the scan. We store scan results so you can view your report later. We do not keep a copy of your code.

Where scanning runs

Scanning runs in an isolated environment. Your code is used only to produce your report. It is not used for training, marketing, or any other purpose.

Tech stack:

• Scanning runs in an isolated Railway container.
• Each scan is a fresh ephemeral environment; there is no persistent access to your code.
• Powered by four open source scanners: Opengrep (SAST), Gitleaks (secrets), Trivy (dependencies & IaC), and Nuclei (live app / DAST).
• All are open source tools, and you can inspect them yourself.

Logs and privacy

We log minimal metadata only (e.g. that a scan ran and completed). We never log code contents or report details. We don't sell your data. Any changes to how we handle data will be reflected on this page.

• ✓We never store your source code
• ✓We never sell your data
• ✓We never use your code for AI training
• ✓We log scan metadata only (time, file count, finding count)
• ✓Payments processed by Stripe. We never see your card details

Open source scanners

We use open source tools you can audit yourself.

Opengrep

Fork of Semgrep CE. It provides static analysis (Code Scan (SAST)) for security and code quality. LGPL 2.1 licensed.

Gitleaks

Secret detection in git repos and files; it finds API keys, tokens, and credentials. MIT licensed.

Trivy

Dependency and IaC scanning; it finds known CVEs in your packages and infrastructure configuration. Apache 2.0 licensed.

Nuclei

Live app scanning (DAST) probes running endpoints for real vulnerabilities using community-maintained templates. MIT licensed.

Payment security

Payments handled by Stripe

We never see or store your payment information. All transactions are processed directly by Stripe, a PCI DSS Level 1 certified payment processor.