Security Overview

1. Overview

Security is built into our product lifecycle, infrastructure, and processes. We minimize data exposure, encrypt everything in transit and at rest, and continuously monitor for regressions.

2. Data flow and storage

• Repositories are cloned only for the duration of analysis in isolated workers.
• Source code is deleted automatically after analysis completes; retained artifacts are findings and metrics.
• Audit logs capture access to analysis jobs, findings, and administration events.

3. LLM usage

For advanced reasoning in findings and remediation suggestions, ScanFix uses Anthropic and OpenAI models. Requests are scoped to the minimal context needed, and we do not allow either provider to train on your data.

4. Encryption

• TLS 1.2+ for all data in transit.
• Encrypted storage for findings, logs, and credentials at rest.
• Secrets are stored in a dedicated secrets manager and never written to logs.

5. Access controls

• Least-privilege IAM roles for services and staff.
• MFA enforced for administrative access.
• Role-based access and scoping for customer users.

6. Compliance

• GDPR-aligned practices: data subject rights, DPA on request, and EU data handling controls.
• Data processing agreements in place with Anthropic, OpenAI, and other sub-processors.
• Continuous security testing, dependency scanning, and vulnerability management.

7. Incident response

We maintain a documented incident response plan with 24/7 on-call rotation. Customers are notified without undue delay if their data is impacted, including scope, remediation steps, and follow-up actions.

8. Responsible disclosure

We welcome reports from security researchers. Please email security@scanfix.ai with details; do not test in ways that could disrupt the service or access other customers' data.

9. Contact