Security at GitSniff
Trust is our currency. We employ enterprise-grade security measures to protect your intellectual property at every stage of the review process.
End-to-End Encryption
All data is encrypted in transit via TLS 1.3 and at rest using AES-256.
Zero-Retention Analysis
Code is processed in volatile memory and discarded immediately after inference.
Compliance Ready
GDPR and CCPA compliant. SOC 2 Type II certification in progress (expected Q2 2026).
Infrastructure Security
Cloud Security
GitSniff is hosted on Vercel's edge network with database infrastructure on Supabase (AWS). All infrastructure follows security best practices with strict network isolation, automated security patches, and continuous monitoring. Our compute environments are protected by enterprise-grade firewalls and access controls.
Data Isolation
Tenant data is logically isolated. For enterprise customers, we offer single-tenant deployments where compute resources are completely dedicated to your organization. Contact us to learn more.
Application Security
Authentication & Access
We support SSO (Single Sign-On) via Google Workspace, GitHub, and SAML providers (Okta, Azure AD) for Enterprise plans. MFA is enforced for all administrative access.
Vulnerability Management
We perform regular automated scans of our dependencies and infrastructure. We engage third-party security firms for annual penetration testing.
AI Model Security
No Training on User Code
We never use your private code to train AI models. All AI providers we use (Anthropic, OpenAI, Google, etc.) are contractually prohibited from training on your data. We use only frozen, pre-trained models for inference.
Zero-Retention Processing
Code is processed in volatile memory only. After generating a review, your source code is immediately discarded. We retain only metadata (PR number, risk score) and the generated review comments for your dashboard.
Operational Security
Incident Response
We maintain a comprehensive incident response plan with 24/7 monitoring, automated alerting, and defined escalation procedures. In the event of a security incident, we will notify affected customers within 72 hours and provide regular updates throughout the resolution process.
Access Controls
All internal access to production systems requires multi-factor authentication (MFA) and is logged for audit purposes. We follow the principle of least privilege, granting employees only the access necessary for their roles. Access is reviewed quarterly.
Third-Party Security
We carefully vet all third-party services we use to ensure they meet our security standards:
- Supabase: SOC 2 Type II certified, GDPR compliant database and authentication provider.
- Stripe: PCI DSS Level 1 certified payment processor. We never handle raw payment card data.
- OpenRouter: AI gateway with zero data retention and enterprise security guarantees.
- Vercel: SOC 2 Type II certified hosting with automatic DDoS protection and edge security.
- GitHub: Industry-leading code hosting platform with robust security controls and audit logging.
Responsible Disclosure
Found a vulnerability? Please report security issues responsibly. We pledge to investigate all legitimate reports within 24 hours and provide updates within 72 hours.
Security Email: security@gitsniff.ai
PGP Key Fingerprint: Available upon request