Security at CodeShield

Data in transit

• TLS 1.2+ enforced everywhere. HSTS preloaded.
• Strict CSP, X-Frame-Options DENY, nosniff, no referrer leaks.
• All API endpoints require HTTPS.

Data at rest

• Database encrypted at rest (managed Postgres on Vercel / AWS).
• API keys stored as SHA-256 hashes — never in plaintext.
• Secrets (OAuth tokens, webhook keys) stored encrypted.
• No card data ever touches our servers (Stripe-tokenized).

Authentication & access control

• GitHub OAuth (SSO). SAML/SSO for Business plans.
• JWT sessions, HttpOnly & SameSite=Lax cookies.
• Rate limiting per IP and per API key.
• HMAC-SHA256 signature verification for GitHub & Stripe webhooks.

How we handle your code

• Code is processed to produce scan results, then discarded from working memory.
• We store findings (line numbers, severity) — not your full source.
• AI auto-fix sends only the affected snippet to Anthropic, on explicit user request.
• We never use your code to train public AI models.

Infrastructure

• Hosted on Vercel (SOC 2 Type II, ISO 27001).
• Database: managed Postgres with automated daily backups, 30-day retention.
• Dependencies scanned daily by Dependabot + CodeShield itself.
• Quarterly internal security reviews.

Responsible disclosure

Found a vulnerability? Please report it to security@codeshield.sh. We’ll confirm receipt within 24 hours and keep you updated as we investigate.

We commit not to pursue legal action against good-faith researchers who respect user privacy, data integrity, and service availability.

Compliance

• GDPR-aligned — Data Processing Addendum available on request.
• SOC 2 Type II — in progress (target Q4 2026).
• EU data residency option — available for Business plans.