Security at Code Catch

Your code never leaves your control. We process reviews in memory, encrypt everything, and retain nothing.

TLS 1.3
SOC 2 Infra
Zero Retention

Security Practices

Encryption

All data is encrypted in transit (TLS 1.3) and at rest. Database connections use SSL with certificate verification.

Authentication

Session-based auth with secure HTTP-only cookies, CSRF protection, and optional OAuth via GitHub. Tokens are never stored in localStorage.

Infrastructure

Hosted on Vercel's SOC 2 compliant platform. Database on Neon PostgreSQL with automated backups and point-in-time recovery.

Minimal Data Access

We only access repository data you explicitly connect. Code is processed in memory during reviews and never stored permanently.

Rate Limiting & DDoS Protection

All API endpoints are rate-limited per user and IP. Vercel's edge network provides DDoS mitigation at the infrastructure level.

Security Headers

Strict CSP, HSTS, X-Frame-Options DENY, and Referrer-Policy headers are enforced on every response.

Responsible Disclosure

If you discover a security vulnerability, we appreciate your help in disclosing it responsibly. Please do not open a public GitHub issue for security vulnerabilities.

To report a vulnerability:

  1. Email us at codecatch27@gmail.com with a description of the issue
  2. Include steps to reproduce the vulnerability
  3. Allow up to 72 hours for an initial response
  4. We'll work with you to understand and address the issue before any public disclosure

Data Handling Commitments

  • We never store your source code after a review is complete
  • We never share your code or data with third parties
  • We never use your code to train AI models
  • AI provider API calls use ephemeral processing — no data retention
  • You can disconnect repositories and delete your account at any time

Questions?

For security-related questions, reach out to codecatch27@gmail.com