SecurityChecks

Security

How we handle your code and keep your data safe.

Last updated: January 26, 2026

The short version

We scan your code for security issues. We store findings (file paths, line numbers, what we found). We delete the code after scanning. We don't train on your code. We don't sell your data.

We don't train AI on your code

Your code is never used to train machine learning models. Period.

  • Not for our models
  • Not sold to third parties
  • Not shared with AI providers
  • Not used for "product improvement" training

We use deterministic pattern matching and static analysis—not LLMs—for detection. When we do use AI (for remediation suggestions), it's stateless and your code isn't retained.

How Scanning Works

CLI Local Mode

Most Private

Run npx @securitychecks/cli run

  • Code never leaves your machine
  • Fact extraction runs locally, evaluation in the cloud
  • Only structural metadata sent (call graphs, auth patterns)
  • Findings returned to your terminal
  • Requires free API key for cloud evaluation

Perfect for: Pre-commit hooks, local development, CI pipelines

Cloud Mode (CI/CD)

Run scheck run --cloud or via GitHub Actions

  • Code artifact uploaded (encrypted, AES-256)
  • Processed in isolated container
  • Artifact deleted immediately after scan
  • Only findings stored (not your code)
  • Enables PR comments & dashboard

Perfect for: CI pipelines, PR checks, team visibility

What We Store

Stored permanently (until you delete)

  • Finding metadata: file paths, line numbers, invariant IDs, severity
  • Code snippets: the specific lines containing findings (for evidence)
  • Scan results: timestamps, finding counts, duration
  • Account data: email, organization name, billing info

Stored temporarily (deleted after scan)

  • Code artifacts for cloud scans (encrypted, deleted within 24 hours)
  • Processing logs (deleted after 7 days)

Never stored

  • Complete repository contents
  • Git history
  • Secret values (we report their presence, not their content)
  • Code from local CLI runs (stays on your machine)

Cloud Scan Lifecycle

  1. Upload: Code artifact sent to encrypted R2 storage (AES-256)
  2. Queue: Scan job queued (we use QStash for reliable delivery)
  3. Process: Isolated worker downloads artifact, runs checks
  4. Store: Only findings saved to database
  5. Delete: Artifact deleted immediately after successful scan

Failed scans retain artifacts for 24 hours for debugging, then auto-delete.

Infrastructure

  • Hosting: Vercel (web app), Fly.io (workers)
  • Database: Neon PostgreSQL with row-level security
  • Storage: Cloudflare R2 (encrypted at rest)
  • Auth: Clerk (handles passwords, sessions, OAuth)
  • Payments: Stripe (we never see card numbers)

Encryption

  • All connections use TLS 1.3
  • Database encrypted at rest (AES-256)
  • Artifact storage encrypted at rest (AES-256)

Access Control

  • Data is scoped to your organization (row-level security in database)
  • API keys are scoped to your organization
  • Team members see only their organization's data
  • We (the SecurityChecks team) do not access customer data unless you explicitly request support and grant access

What We Don't Have (Yet)

We're a small team. Here's what we're working toward:

  • SOC 2: Not certified yet. Our infrastructure providers (Vercel, Clerk, Stripe) are SOC 2 Type II certified.
  • Self-hosted option: Not available yet. Contact us if this is a requirement.
  • On-premise: Not available. We're cloud-only for now.
  • Bug bounty program: Not formalized yet, but we appreciate responsible disclosure.

Found a Security Issue?

Email us at security@securitychecks.ai

  • We'll acknowledge within 48 hours
  • We'll keep you updated on our fix
  • We won't take legal action against good-faith researchers

Your Data Rights

  • Export: Download your scan results and findings anytime
  • Delete: Delete your account and all associated data
  • Correct: Update your account information in settings

Email privacy@securitychecks.ai for data requests.

Questions?

Email us at hello@securitychecks.ai