§ 01Security

Your code staysyour code.

The engine runs on your runner or your machine. Your source never transits our servers, never touches our storage, never trains a model. The cloud only ever sees what you choose to send it: findings reports, not repositories.

Report a vulnerability →Talk to security →

Posture · current

Analysis runs: On your runner · your machine
Source code: Never transits our servers
Cloud receives: Findings reports · opt-in only
Training use: Never
Transport: TLS in transit
At rest: Encrypted via providers (Vercel · Supabase)
SSO · Enterprise: On the roadmap · not yet shipped

§ 02Principles

Principle 01

Analysis runs on your infrastructure

The Action runs the engine on your GitHub runner; the CLI runs on your machine. Findings post back to your PR. Your source code does not transit our servers — there is no cloud analysis surface receiving it.

Your runnerYour machineNo code egress

Principle 02

The cloud is opt-in

Nothing is sent to us unless you choose it. With --upload or --share, the CLI sends a findings report (severities, messages, the flagged lines) to your own dashboard — not your repository. Reports are never used to train models.

Opt-in onlyReports, not reposNo training use

Principle 03

Encryption everywhere

TLS in transit. Data is encrypted at rest via our hosting and database providers (Vercel, Supabase). We do not yet operate our own KMS or rotate provider-side keys ourselves.

TLS in transitEncrypted at restProvider-managed keys

Principle 04

A deliberately small surface

Production is a handful of managed providers — Vercel, Supabase, Stripe — with row-level security on every database table and production access limited to the founding team. No fleet of services to misconfigure.

Managed providersRow-level securityFounding-team access

§ 03Compliance

Scope

PCI DSS

No card data processed

Stripe handles all payment surfaces

Article 28

GDPR

Email-based DSR

See compliance page for full posture

Fig 03 · Stamps print on scroll-into-view

§ 04Disclosure

Report it.
We'll respond.

Email security@codetitan.dev. We read every email but cannot yet guarantee response times during pre-launch. Coordinated disclosure preferred, with credit unless you prefer anonymity.

01Include steps to reproduce, impact, and affected version
02No bug bounty program yet — we will credit researchers publicly once disclosed
03A PGP key will be published once we generate one; until then plain email is fine

security@codetitan.devPlain email

Plain email is fine while we're pre-launch. We'll publish a PGP public key here once one exists for security@codetitan.dev.

No PGP fingerprint to publish yet · do not trust any key claiming to be ours until linked from this page.

§ 05See for yourself

Your code never leaves. Prove it.

Apache-2.0 — read the source, run it air-gapped, watch the network tab.

Start free →Read the docs →