Back to Home
SECURITY

Security

Zero-retention architecture. Your code never touches our servers.

Zero Data Retention

Covalynce uses an ephemeral processing model. Your code diffs are analyzed in memory and immediately discarded. We never store your source code, only the generated content drafts (which you can delete at any time).

Processing Flow:
1. Webhook receives code diff
2. Diff analyzed in RAM (never written to disk)
3. LLM generates content
4. Diff immediately discarded
5. Only content draft stored (user-controlled)

Memory-only processing: Code analysis happens entirely in ephemeral memory. No temporary files, no database storage, no backups of your code.

End-to-End Encryption

All data in transit is encrypted using TLS 1.3. API keys and tokens are encrypted at rest using AES-256-GCM.

Encryption Standards:
• TLS 1.3 for all connections (HTTPS only)
• AES-256-GCM for data at rest
• RSA-4096 for key exchange
• Perfect Forward Secrecy enabled
• HSTS headers enforced

What We Encrypt

  • • OAuth tokens (GitHub, Twitter, LinkedIn, etc.)
  • • API keys
  • • Generated content drafts
  • • User account information
  • • Webhook secrets

Infrastructure Security

Hosting & Infrastructure

All services run on AWS with SOC 2 Type II compliance:

  • Multi-region redundancy (US-East, US-West, EU)
  • Automatic failover and load balancing
  • DDoS protection via AWS Shield
  • VPC isolation for internal services
  • Regular automated backups (for user data only, not code)

Access Control

Role-based access control (RBAC) with OAuth 2.0 authentication:

  • OAuth 2.0 for user authentication
  • SSO support for enterprise customers
  • Multi-factor authentication (MFA) available
  • API key rotation and revocation
  • Session management with secure cookies

Monitoring & Incident Response

24/7 security monitoring with automated threat detection:

  • Real-time intrusion detection
  • Automated threat response
  • All access attempts logged and audited
  • Security incident response team on-call
  • Regular security audits and penetration testing

Compliance & Certifications

SOC 2 Type II
Certified annually
GDPR Compliant
EU Data Protection
CCPA Compliant
California Privacy
ISO 27001
In Progress (Q2 2024)

We undergo annual third-party security audits. Compliance reports are available upon request for enterprise customers.

Security Best Practices

Regular Security Audits: We conduct quarterly third-party security audits and annual penetration testing. All findings are addressed within 30 days.
Bug Bounty Program: We offer rewards for responsibly disclosed security vulnerabilities. Report issues to security@covalynce.com. Rewards range from $100 to $10,000 based on severity.
Data Deletion: You can delete all your data at any time via the dashboard or API. Deletion is permanent and immediate. No backups are retained after deletion.
Source Code Access: We never have access to your source code. Only diffs are analyzed ephemerally in memory. We cannot read your full repository, only the changes in PRs.
Vulnerability Disclosure: We maintain a responsible disclosure policy. Security vulnerabilities are patched within 48 hours of discovery.

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

Email:
security@covalynce.com
PGP Key:
Available at https://covalynce.com/security/pgp

Please include: description of the vulnerability, steps to reproduce, potential impact, and suggested fix (if any). We will respond within 24 hours and provide updates on remediation progress.