Security at SecureOS

The company that secures your code holds itself to the same bar.

We read your repos. We owe you our security posture in return. Here's what we do, what we don't do, and how to reach us if you find a hole.

SOC 2 Type II
GDPR ready
Encrypted at rest
MFA enforced
24/7 monitoring

How we handle your code.

Plain language. Where we made a choice, we'll tell you why.

Encryption

Everything in transit and at rest, no exceptions.

  • TLS 1.3 for all traffic; HSTS preloaded.
  • AES-256-GCM for data at rest.
  • Per-customer encryption keys, rotated quarterly via AWS KMS.
  • Backups encrypted with separate keys, stored in a separate region.
Verified by SOC 2 Type II auditor · Drata

Access

Least-privilege by default for our team. Audited every change.

  • SSO + hardware MFA mandatory for everyone, including the founders.
  • Production access requires a written ticket and a second approver.
  • All admin actions logged to an append-only audit trail.
  • Engineers cannot SSH into production. Period.
Quarterly access review · last completed Apr 2026

Code handling

Your source is the most sensitive thing we touch. We treat it accordingly.

  • Scans run in ephemeral, single-tenant containers. Disk wiped after each run.
  • We never persist your source code. We persist findings + line numbers, not the lines themselves.
  • No human at SecureOS reads your code without an explicit support ticket and your written go-ahead.
Default retention: 0 days for code · 90 days for findings

Infrastructure

Hosted on AWS in us-east-1. Multi-AZ. No third-party CDN sees your code.

  • Private VPC with no public ingress except the LB.
  • WAF + DDoS protection at the edge.
  • Continuous vulnerability scanning of our own dependencies — yes, we run Sentinel on ourselves.
  • Backups: 30-day point-in-time recovery for the control plane DB.
Status page: status.secureos.dev

Data residency

EU customers can request eu-west-1 at no extra cost. Findings never leave your chosen region.

  • Data export available on demand: JSON, one-click, no support ticket.
  • Account deletion purges all findings within 7 days, backups within 30.
  • GDPR DPA available on the Team plan.
EU residency adds ~80ms to scan latency · acceptable to most

Compliance

We get audited so your auditors don't have to ask us 200 questions.

  • SOC 2 Type II — renewed annually, available under NDA.
  • GDPR controller / processor agreement available on request.
  • HIPAA BAA on the Team plan for healthcare customers.
  • Quarterly third-party penetration test (yes, Penetrator pen-tests us first).
Next external pen test: Jul 2026

What we don't do

Promises by omission are easy. So here's the explicit list.

We don't train ML models on your code. Sentinel's rulepack is hand-curated. Your repos are not training data.
We don't write to your repo without your OK. Apply-fix requires you to click. No silent commits, ever.
We don't store your secrets. If Sentinel finds a secret, the finding records the location — never the value.
We don't sell your data. No data brokerage, no ad-tech partners, no "anonymized" telemetry sold downstream.
We don't ship a third-party CDN with your dashboard. No Google Analytics, no Segment, no Intercom on app.secureos.dev.
We don't share findings between customers. Each customer's data lives in a logically isolated tenant.

What happens when you push code.

From your git push to the finding in your PR — every hop, every key, where the boundaries are.

Scan data flow

All hops over TLS 1.3
1 · Source
Your repo
GitHub webhook
2 · Ingest
Edge router
us-east-1 / eu-west-1
3 · Compute
Ephemeral container
single tenant · ~12s lifetime
4 · Findings
Encrypted DB
AES-256-GCM at rest
5 · Delivery
PR comment + dashboard
90-day retention
Single-tenant compute boundary Multi-tenant control plane Your source: never persisted after step 3

Questions auditors ask us first.

Do you store our source code?

No. Scan containers clone, scan, and exit. The container's disk is destroyed on exit. The control-plane database stores findings (file path + line number + rule ID + diff hint), not source code itself.

Do you train models on our repos?

No. Our detection works on hand-written rules, not learned ones. We don't use customer code for any kind of model training, fine-tuning, or evaluation, period.

Where is the data stored, and can I choose?

Default is AWS us-east-1 with multi-AZ replication. EU customers can request eu-west-1 on any paid plan. Findings stay in your chosen region; backups stay in the same region pair.

What permissions does the GitHub App need?

Read on code, read on metadata, write on pull-request comments. We never request write on code. You can review the exact scopes at github.com/settings/installations and revoke at any time.

What happens if I delete my account?

Findings are purged within 7 days. Backups containing your findings expire within 30 days. We retain account-level metadata (email, plan history) for 12 months for tax purposes only, then drop it.

Can I get a SOC 2 report?

Yes — request it under a one-page NDA. Email security@secureos.dev and we'll send it within one business day.

Have you ever had a breach?

No. If we ever do, we'll tell every affected customer within 72 hours, post a public incident report, and re-issue any compromised credentials. We will not bury it in a tweet.

Found something? Tell us.

Email security@secureos.dev — PGP key on file.

We acknowledge reports within 24 hours and confirm fix or won't-fix within 5 business days. Critical issues get same-day attention. We pay bounties for verified vulnerabilities — typically $250 to $10,000 depending on severity and impact. No legal pursuit of good-faith research.

Report a vulnerability View PGP key