Data handling
AISafe processes your source code, target URLs, and assessment results to deliver security testing.
What data AISafe processes
AISafe processes the following when you run an assessment:
- Source code: for code audits, the platform clones your repository into an isolated sandbox for analysis. The code stays for the duration of the assessment and its revision history.
- Target information: for pentests, the target URLs, authentication credentials, and HTTP traffic captures produced during testing.
- Findings and evidence: vulnerability descriptions, file locations, taint flows, proof-of-concept payloads, and suggested fixes.
- Reports: PDF deliverables.
- Organization metadata: member information, team structure, integration connections, API keys, and billing records.
How data is stored
- Source code archives: the platform stores them in encrypted object storage, scoped to your organization. Deleting the associated assessment removes its archives.
- Assessment and finding data: AISafe's database holds this data, scoped to your organization. The platform blocks cross-tenant access to prevent information leakage.
- Credentials and secrets: API keys and integration tokens use encryption at rest. Source access tokens (GitHub/GitLab installation tokens) expire within a short window and do not touch disk.
- HTTP traffic captures: the platform stores pentest traffic (request/response pairs) as artifacts linked to the assessment.
Who can access your data
Organization membership and roles govern access to your data:
- Organization members: can access assessments, findings, and reports within their organization, subject to their role permissions.
- AISafe staff: do not have routine access to your source code or findings. Staff access is limited to support and incident response, and the platform audits all access.
- No cross-tenant access: AISafe returns 404 when a caller tries to access a resource belonging to another organization, preventing information leakage about other tenants.
Data retention
- Assessments and findings: the platform retains them for the lifetime of your organization. You can delete assessments and findings at any time.
- Source code archives: the platform retains them as long as the assessment exists. Deleting an assessment removes its source archives.
- Reports: the platform retains them as artifacts linked to the assessment.
- Account data: the platform retains it while your account is active. You can request data deletion by contacting support.
LLM processing
AISafe uses third-party LLM providers to power the AI agents. The platform sends your source code and target information to the LLM provider as part of the reasoning process. AISafe does not use your data to train models. Refer to your LLM provider's data processing terms for details on their handling of inference inputs. See the sub-processors table below for the categories of providers involved.
Data subject rights
If you need to exercise data subject rights under GDPR, CCPA, or similar regulations, including data deletion, data export, or data portability, contact AISafe support. Organization owners can also delete assessments and findings from the dashboard at any time, which removes the associated source archives, artifacts, and reports.
Sub-processors
AISafe relies on the following categories of sub-processors to deliver the service:
| Category | Purpose | Examples |
|---|---|---|
| Cloud infrastructure | Compute, storage, networking | Major cloud providers |
| LLM providers | AI agent reasoning | Anthropic |
| Source code hosting | Repository access (your choice) | GitHub, GitLab |
| Issue tracking | Finding export (your choice) | Jira, Linear, GitHub Issues |
| Notifications | Slack/Teams notifications | Slack, Microsoft Teams |
| Email delivery | Transactional email | Resend |
| Billing | Subscription and credit purchases | Polar |
Request the current sub-processor list with specific providers from support. AISafe commits to notifying customers before adding a new sub-processor that processes customer data.