Skip to content
Our open-source security work.See the research
Trust centre

Current facts about how we handle code and data.

No aspirational badges. This page lists what is true today: how Sebastion processes code, which providers help run it and how to reach us about security.

Compliance posture

Status
SOC 2 / ISO 27001Not certified today
DPAAvailable on request
HIPAA / PCINot in scope
Vulnerability disclosurePublished policy + security.txt

Hosting and data handling

Where + how
Application hostingManaged cloud hosting
DNS and edge securityCloudflare
Encryption in transitHTTPS / TLS
Encryption at restManaged provider encryption for persisted data
  • Source code is processed for PR/MR review and is not used to train Foundation Machines models.
  • We retain findings and operational metadata needed to show audit history, support suppressions and debug product issues.
  • We use provider controls intended to prevent model vendors training on customer prompts and responses.

Sub-processors

These providers may process customer data as part of installing, authenticating, running audits or sending product email.

VendorPurposeRegion
GitHubGitHub App installation, repository metadata and OAuthGlobal
GitLabGitLab SaaS integration, group/project metadata and OAuthGlobal
AnthropicFrontier model inferenceUS
OpenAIFrontier model inferenceUS
OpenRouterModel routing fallbackUS
VercelApplication hostingGlobal
CloudflareDNS, edge security and email routingGlobal
StripePayment processing and billingGlobal
PostHogProduct analytics (opt-in)EU
Firebase Auth (Google)Sign-in and identityGlobal
ResendTransactional emailGlobal

Incident history

We have not had a reportable security incident to date. If that changes, we will publish a post-mortem for incidents that affect customer data or availability.