🛡️ FULL TRANSPARENCY

Security & Privacy

We're a security product. Our trust matters more than our marketing copy. Here's exactly what happens to your code, where it goes, and how we protect it.

What we store about your code

Source code (the actual files)
ZIPs and repo tarballs are processed in memory and deleted after scanning.
Never stored
Vulnerability findings (title, line, file path)
Required to show you results. Bound to your account; private by default.
Stored
Scan metadata (project name, source, timestamps)
Stored
GitHub access token
AES-256-GCM with a key derived from our AUTH_SECRET. Even our DB admins can't read it without the env var.
Encrypted
Password
Cannot be reversed. We never see your plaintext password.
bcrypt (12 rounds)
Email address
Used for login + scan-complete emails.
Stored
Stripe customer ID (no card details)
Stripe holds your card. We only hold the reference ID.
Stored
Logs (IP, user agent on auth events)
IPs truncated to /24 (IPv4) or /48 (IPv6) before storage.
Anonymised

Where your code goes

CLI (npx bryxe scan)

100% local. Nothing leaves your machine. The most paranoid option.

Standard scan (ZIP / GitHub) — free tier

Code processed in memory on our servers (Vercel, US East). Findings persisted to Postgres (Supabase, US East). No third parties involved.

Deep scan (paid, opt-in)

Up to 8 files × 12 KB each (≈ 96 KB total) sent to Anthropic API for the AI audit pass. Anthropic does not train on API traffic. Default 30-day retention on their side (Enterprise customers can request zero-retention).

URL scan

We fetch() your public URL — same thing any browser does. No private code involved. We block SSRF to AWS metadata IPs, RFC1918, link-local, etc.

How we protect ourselves (so we protect you)

  • ✓ TLS everywhere (HSTS preload-eligible, 2-year max-age, includeSubDomains)
  • ✓ Strict CSP with no unsafe-eval, object-src 'none', frame-ancestors 'none'
  • ✓ Cross-Origin-Opener-Policy: same-origin + COR-Policy: same-origin (XS-Leaks defence)
  • ✓ Account lockout after 5 failed logins in 15 minutes (per email + per IP)
  • ✓ Sessions revoked on every password change (force re-login on all devices)
  • ✓ AES-256-GCM at rest for GitHub OAuth tokens; bcrypt 12 for passwords
  • ✓ Stripe + GitHub webhook signature verification (constant-time HMAC compare)
  • ✓ Per-route rate limiting (token bucket in DB)
  • ✓ CSRF protection via Origin header check + SameSite=Lax cookies
  • ✓ ZIP-bomb protection (capped extracted bytes, file count, single-file size)
  • ✓ Path-traversal rejection on every archive entry
  • ✓ SSRF defence on URL scanner (DNS-resolved blocklist; no file://)
  • ✓ Production source maps disabled, X-Powered-By stripped
  • ✓ Audit log on every auth event, GitHub-integration change, account deletion
  • ✓ GDPR data export + right-to-erasure at /app/profile

Report a vulnerability

Found a bug? Email security@bryxe.app. Acknowledgement within 24 hours, fix SLA per severity in our SECURITY.md.

Safe-harbour applies if you follow responsible disclosure (no DoS, no data exfiltration beyond PoC, give us time to fix).

What's next

  • 📋 SOC 2 Type I audit — Q3 2026
  • 🔐 Customer-managed encryption keys (BYOK) — for enterprise
  • 🌐 EU region (data residency) — Q4 2026
  • 🐳 Self-hosted Docker image — for the most paranoid customers

Hall of fame

Researchers who responsibly disclosed vulnerabilities will be listed here. Be the first.