How we keep your code private

1. The four layers we built

Each layer is independently auditable. You can verify any claim below by reading our open-source scanner, our audit log, or our infrastructure docs.

• Client-side scan via GitHub Actions — Scanner runs inside your CI runner. We receive only structured findings (file path, line, algorithm). Your source code never leaves your infrastructure.
• Memory-only fallback (zero persistence) — When server-side processing is required, code stays in RAM, gets scanned, and the container is destroyed. No disk write, no logs, no caches.
• Open-source scanner core — Scanner core is MIT-licensed on GitHub with reproducible builds. Compile it yourself and verify the hash matches what we run in production.
• Audit log per access — Every internal access generates an audit entry visible to you. You see who looked at your findings, when, and why — with cryptographic hashes.

2. What we do NOT collect

By architecture, not by promise. The following data never enters our systems:

• Your source code (only file paths, line numbers, and algorithm names from findings)
• Your repository contents, branches, history, or commits
• Your team members' personal data beyond what Clerk needs for authentication
• Your billing information (Stripe handles cards directly — we never see them)
• Your IP address tied to scan content (only aggregated for rate-limiting)

3. What we DO collect (and why)

Minimum necessary to run the product:

• Findings metadata — file path, line number, algorithm name, severity. Used to render your scan report.
• Aggregated anonymized patterns — e.g. "% of LATAM repos using RSA-2048". Powers Phase 1 dataset. Never linked back to a customer.
• Account data — email (via Clerk), org name. Used for login and billing.
• Audit log — every internal access (timestamp, actor, action). Visible to you, retained 12 months.

4. Your rights

Available now via your dashboard or by email:

• Export — download all your findings and audit log as JSON or CSV.
• Delete — wipe all your data on demand. We confirm deletion within 7 days.
• Access — see who internally accessed your findings, when, and why.
• Portability — CBOM CycloneDX 1.7 export coming Q2 2026.

5. Sub-processors

We use these third parties. Each is contractually bound to our privacy commitments:

• Anthropic (Claude API) — LLM analysis. Code excerpts processed in memory, not logged by Anthropic per their data usage policy.
• Neon (Postgres) — Findings metadata. EU + US regions. Encrypted at rest.
• Clerk — Authentication only. No scan data.
• Resend — Transactional email. No scan data in email body, only links.
• Cloudflare R2 — Static asset hosting (reports). Encrypted, signed URLs only.
• Vercel — App hosting. No scan data persisted at edge.
• PostHog (self-hosted EU) — Anonymous analytics. No PII, no scan content.
• Sentry — Error monitoring. PII scrubbed before send.

6. Phase 1 data-first stance

QuantumScan is free for all design partners through Phase 1 (until DORA enforcement window, ~Q3-Q4 2026). In exchange, we collect anonymized aggregated patterns from your scans to build the first LATAM cryptography benchmark dataset. You retain ownership of your scan data. Aggregated patterns can never be reverse-engineered back to your repos.

7. Compliance

Our roadmap is aligned with the regulations you must meet:

• GDPR — Data controller in EU. DPA available on request.
• LGPD — Brazilian data protection. Local representative on file.
• DORA — Operational resilience reporting via PQC inventory.
• NIS2 — Crypto-agility evidence for Article 21.
• SOC 2 Type II — In progress, target Q4 2026.

Questions?

Email us. We answer within 1 business day. For DPA requests, mention "DPA" in the subject line.