Security & data handling
Last updated: March 22, 2026
This page describes how we run the service, what infrastructure we use, and which third parties may process data on our behalf. For legal terms about personal data, see our Privacy Policy.
Architecture & retention (overview)
Our product is designed so that routine scans do not require keeping a full copy of your source repository on our servers for ongoing storage. Analysis results shown in your report (scores, findings, summaries) may be stored so you can return to them. Exact retention for private repositories and OAuth-based access will be documented here as those features reach general availability—aligned with our engineering review.
Infrastructure
- Hosting — The web application and API routes are deployed on managed infrastructure (e.g. Vercel or equivalent) with HTTPS in transit.
- Database — Where configured, we may use a managed PostgreSQL provider for reports, purchases, and operational data as described in our Privacy Policy.
Subprocessors & third-party services
We use the following categories of providers to operate SystemAudit.dev. Specific vendors may change; we will update this table when we add or replace a material subprocessor.
| Category | Purpose | Typical provider(s) |
|---|---|---|
| Payments | Process payments for paid tiers | Stripe |
| Transactional and lead notifications | SendGrid (or equivalent) | |
| Repository access | Read repository metadata and files for analysis (public repos today) | GitHub API |
| Analytics | Understand traffic and product usage | Google Analytics (if enabled for your session) |
| AI / LLM | Deep analysis, chat assistant, and related features where offered | Configured model provider(s) per environment |
Enterprise & DPA
Custom data processing agreements (DPAs) and security questionnaires are available when needed for enterprise procurement. Contact us with your requirements.
Contact
Security questions: support@systemaudit.dev