Trust Center

We scan code for a living.
We hold ourselves to the same bar.

Impact runs its own detector on its own source on every push. We use the same encryption, the same OAuth scopes, the same secret-management patterns we recommend to our customers. This page is a complete inventory of how that works.

Encrypted in transit and at rest

Every connection runs over TLS 1.3. Git PATs are AES-256-GCM encrypted before they touch our database. JWT secrets are stored exclusively in your cloud provider's secret manager (Azure Key Vault, AWS Secrets Manager, GCP Secret Manager).

Read-only by default

Impact analyzes your code. It does not modify it. The GitHub / GitLab / Bitbucket OAuth scopes we request are read-only on repository contents and metadata. We never request write access, push permission, or admin rights.

Single-tenant on request

Self-host the entire stack in your own VPC with our docker-compose bundle, or take our Enterprise tier for a dedicated Azure / AWS subscription managed by us. Your code never leaves your boundary.

No long-lived secrets in our source

We use the same hardcoded-credential detector on our own codebase as we ship to customers. Every push runs through it. CI fails if a real secret is committed.

Controls Inventory

What we do, in detail.

Identity & Access

  • JWT auth with short-lived access tokens (15 min) + refresh rotation
  • Per-user tier overrides for granular access control
  • Owner / Admin / Member / Viewer role-based access
  • SAML 2.0 SSO via WorkOS (Enterprise tier)
  • OAuth via GitHub / GitLab / Bitbucket with read-only scopes
  • API key rotation with one-click revoke and per-key usage telemetry

Data Protection

  • TLS 1.3 for all customer traffic; HSTS preload, modern cipher suites only
  • AES-256-GCM encryption for Personal Access Tokens at rest
  • SQLite WAL mode with periodic snapshot to Azure Files (encrypted)
  • Per-environment secret isolation via Azure Key Vault / AWS Secrets Manager
  • No third-party trackers, no advertising pixels, no session replay
  • PII minimization: we never store source code beyond the active analysis window

Application Security

  • Rate-limited authentication endpoints (express-rate-limit)
  • SSRF protection on user-supplied repo URLs (no internal-IP fetch)
  • CORS allowlist enforced on every API surface
  • Webhook payloads verified via HMAC-SHA256 (GitHub-app-style)
  • Content Security Policy headers on every response
  • All dependencies scanned against OSV.dev CVE feed on every deploy

Infrastructure

  • Hosted on Azure Container Apps with managed identity (no long-lived service creds)
  • Application Insights for audit logging — every config change tracked
  • Encrypted Azure Files volumes for persistent storage
  • WAF + DDoS protection via Azure Front Door
  • Backups every 4 hours, 30-day point-in-time restore
  • Tear-down + redeploy verified weekly via the documented runbook

Detection & Response

  • Application Insights alerts on error-rate spikes and auth anomalies
  • Stripe webhook signature verification for every billing event
  • OSV.dev CVE feed wired into analysis output — alerts on vulnerable deps
  • Quarterly tabletop exercise for incident response procedures
  • Coordinated disclosure: security@impactcodeanalysis.com with 90-day patch SLA

Vendor Management

  • Azure (data hosting) — SOC 2 Type II, ISO 27001, FedRAMP High
  • Stripe (billing) — SOC 2 Type II, PCI DSS Level 1
  • Anthropic (AI explain) — SOC 2 Type II, no training on customer data
  • Resend (email) — SOC 2 Type II
  • WorkOS (SSO) — SOC 2 Type II
  • Sub-processor list reviewed quarterly; updated in this page when it changes

Compliance Posture

Certifications & frameworks.

We tell you the truth about where we are, not where we want to be.

SOC 2 Type II
In progress (audit Q3 2026)
GDPR
Compliant — DPA available on request
CCPA
Compliant
HIPAA
BAA available on Enterprise tier
PCI DSS
N/A — billing is delegated to Stripe

Found a vulnerability?

We run a coordinated-disclosure program. Email security@impactcodeanalysis.com with reproduction steps. We acknowledge within 24 hours, patch within 90 days, and credit you in the changelog (your choice).

Please do not file disclosure reports as public GitHub issues.

Need a DPA, BAA, or security questionnaire?

We turn around standard procurement docs in under 48 hours. If you're filling out a security review, we have pre-completed CAIQ / SIG / VSA responses ready to send.