Security Overview

CodeGuard reviews source code, so we design the Service so that the act of reviewing never becomes the point of exposure. This page summarizes our controls. It describes our design and intentions; it is not a certification.

Data handling

• In-memory processing. Uploaded archives are unpacked and analyzed in memory for the duration of a review and are not written to disk or retained afterward.
• Minimized scope. Dependencies, binaries, and build artifacts are skipped; review focuses on first-party source.
• Local-only option. The deterministic static engine runs with zero outbound calls — suitable for air-gapped and regulated environments.
• Private AI analysis. When the AI engine is enabled, only first-party source is sent to our model provider over TLS; inputs are not used to train models, and zero-retention processing is used where available.
• Read-only. Your code is never executed.

Application security

• TLS 1.2+ for all traffic; no plaintext transport of source.
• Passwords stored as one-way scrypt hashes; signed, http-only session cookies.
• Authenticated, rate-limited API; per-plan usage quotas.
• Bring-your-own API key and self-hosting available for full data sovereignty.

Compliance posture

We map our controls to SOC 2 and ISO/IEC 27001 practices and handle personal data in line with Hong Kong’s PDPO and the GDPR where applicable. We are not currently SOC 2 or ISO 27001 certified. Enterprise customers can request our current security documentation and a DPA.

Responsible disclosure

Found a vulnerability? Please report it to [security@yourdomain.com]. We will acknowledge and work with you in good faith; please do not access others’ data or disrupt the Service while testing.

Contact

Security questions or due-diligence requests: [security@yourdomain.com].