We scan code for a living.
We hold ourselves to the same bar.
Impact runs its own detector on its own source on every push. We use the same encryption, the same OAuth scopes, the same secret-management patterns we recommend to our customers. This page is a complete inventory of how that works.
Encrypted in transit and at rest
Every connection runs over TLS 1.3. Git PATs are AES-256-GCM encrypted before they touch our database. JWT secrets are stored exclusively in your cloud provider's secret manager (Azure Key Vault, AWS Secrets Manager, GCP Secret Manager).
Read-only by default
Impact analyzes your code. It does not modify it. The GitHub / GitLab / Bitbucket OAuth scopes we request are read-only on repository contents and metadata. We never request write access, push permission, or admin rights.
Single-tenant on request
Self-host the entire stack in your own VPC with our docker-compose bundle, or take our Enterprise tier for a dedicated Azure / AWS subscription managed by us. Your code never leaves your boundary.
No long-lived secrets in our source
We use the same hardcoded-credential detector on our own codebase as we ship to customers. Every push runs through it. CI fails if a real secret is committed.
Controls Inventory
What we do, in detail.
Identity & Access
- JWT auth with short-lived access tokens (15 min) + refresh rotation
- Per-user tier overrides for granular access control
- Owner / Admin / Member / Viewer role-based access
- SAML 2.0 SSO via WorkOS (Enterprise tier)
- OAuth via GitHub / GitLab / Bitbucket with read-only scopes
- API key rotation with one-click revoke and per-key usage telemetry
Data Protection
- TLS 1.3 for all customer traffic; HSTS preload, modern cipher suites only
- AES-256-GCM encryption for Personal Access Tokens at rest
- SQLite WAL mode with periodic snapshot to Azure Files (encrypted)
- Per-environment secret isolation via Azure Key Vault / AWS Secrets Manager
- No third-party trackers, no advertising pixels, no session replay
- PII minimization: we never store source code beyond the active analysis window
Application Security
- Rate-limited authentication endpoints (express-rate-limit)
- SSRF protection on user-supplied repo URLs (no internal-IP fetch)
- CORS allowlist enforced on every API surface
- Webhook payloads verified via HMAC-SHA256 (GitHub-app-style)
- Content Security Policy headers on every response
- All dependencies scanned against OSV.dev CVE feed on every deploy
Infrastructure
- Hosted on Azure Container Apps with managed identity (no long-lived service creds)
- Application Insights for audit logging — every config change tracked
- Encrypted Azure Files volumes for persistent storage
- WAF + DDoS protection via Azure Front Door
- Backups every 4 hours, 30-day point-in-time restore
- Tear-down + redeploy verified weekly via the documented runbook
Detection & Response
- Application Insights alerts on error-rate spikes and auth anomalies
- Stripe webhook signature verification for every billing event
- OSV.dev CVE feed wired into analysis output — alerts on vulnerable deps
- Quarterly tabletop exercise for incident response procedures
- Coordinated disclosure: security@impactcodeanalysis.com with 90-day patch SLA
Vendor Management
- Azure (data hosting) — SOC 2 Type II, ISO 27001, FedRAMP High
- Stripe (billing) — SOC 2 Type II, PCI DSS Level 1
- Anthropic (AI explain) — SOC 2 Type II, no training on customer data
- Resend (email) — SOC 2 Type II
- WorkOS (SSO) — SOC 2 Type II
- Sub-processor list reviewed quarterly; updated in this page when it changes
Compliance Posture
Certifications & frameworks.
We tell you the truth about where we are, not where we want to be.
Found a vulnerability?
We run a coordinated-disclosure program. Email security@impactcodeanalysis.com with reproduction steps. We acknowledge within 24 hours, patch within 90 days, and credit you in the changelog (your choice).
Please do not file disclosure reports as public GitHub issues.
Need a DPA, BAA, or security questionnaire?
We turn around standard procurement docs in under 48 hours. If you're filling out a security review, we have pre-completed CAIQ / SIG / VSA responses ready to send.