We read your repos. We owe you our security posture in return. Here's what we do, what we don't do, and how to reach us if you find a hole.
Plain language. Where we made a choice, we'll tell you why.
Everything in transit and at rest, no exceptions.
Least-privilege by default for our team. Audited every change.
Your source is the most sensitive thing we touch. We treat it accordingly.
Hosted on AWS in us-east-1. Multi-AZ. No third-party CDN sees your code.
EU customers can request eu-west-1 at no extra cost. Findings never leave your chosen region.
We get audited so your auditors don't have to ask us 200 questions.
Promises by omission are easy. So here's the explicit list.
From your git push to the finding in your PR — every hop, every key, where the boundaries are.
No. Scan containers clone, scan, and exit. The container's disk is destroyed on exit. The control-plane database stores findings (file path + line number + rule ID + diff hint), not source code itself.
No. Our detection works on hand-written rules, not learned ones. We don't use customer code for any kind of model training, fine-tuning, or evaluation, period.
Default is AWS us-east-1 with multi-AZ replication. EU customers can request eu-west-1 on any paid plan. Findings stay in your chosen region; backups stay in the same region pair.
Read on code, read on metadata, write on pull-request comments. We never request write on code. You can review the exact scopes at github.com/settings/installations and revoke at any time.
Findings are purged within 7 days. Backups containing your findings expire within 30 days. We retain account-level metadata (email, plan history) for 12 months for tax purposes only, then drop it.
Yes — request it under a one-page NDA. Email security@secureos.dev and we'll send it within one business day.
No. If we ever do, we'll tell every affected customer within 72 hours, post a public incident report, and re-issue any compromised credentials. We will not bury it in a tweet.
We acknowledge reports within 24 hours and confirm fix or won't-fix within 5 business days. Critical issues get same-day attention. We pay bounties for verified vulnerabilities — typically $250 to $10,000 depending on severity and impact. No legal pursuit of good-faith research.
security@secureos.dev