Trust Center

Security, privacy, and transparency are at the core of everything we build. Here's how we protect your code and data.

Your Data

Your code never leaves your control. GovNu processes code analysis in ephemeral sandboxes that are destroyed immediately after each scan.

We do not store, train on, or share your source code. Analysis results and governance metrics are stored only as long as you need them, with full deletion control in your hands.

All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database access is protected by row-level security policies that enforce strict tenant isolation.

Security

GovNu is built with security-first architecture: principle of least privilege, defense in depth, and zero-trust networking.

We are committed to annual third-party security audits and quarterly penetration testing by independent firms.

Vulnerability disclosure: We maintain a responsible disclosure policy. Security issues are triaged within 24 hours and resolved according to severity tiers (Critical: 48h, High: 7d, Medium: 30d).

Compliance: GovNu adheres to GDPR and CCPA requirements and is pursuing SOC 2 Type II and ISO 27001 certification.

Privacy

We collect only the minimum data necessary to provide the service: repository metadata, scan configurations, and quality metrics. Personal data (names, emails) is collected only with explicit consent.

You have full control: data export (machine-readable JSON), data deletion (immediate or 30-day grace period), and access logs (view who accessed what, when).

Analytics only with your explicit consent. We use PostHog for product analytics — no tracking occurs until you opt in. No advertising. No data brokerage. Your governance data is yours alone.

BYOLLM (Enterprise): When you bring your own LLM provider, code analysis happens entirely in your chosen infrastructure. GovNu never sees your code.

Uptime

We target 99.9% monthly uptime for all production services.

Enterprise SLA: Custom uptime guarantees with dedicated support and escalation paths.

Infrastructure: Cloud-native deployment with automatic failover. Database replication with point-in-time recovery.

Monitoring: Real-time health checks with automated incident detection and response.

Status page: Subscribe for real-time incident notifications and scheduled maintenance windows.

Zero-Access Architecture

GovNu is designed with a zero-access philosophy: we cannot read your source code even if we wanted to. Here's how:

1.GitHub App permissions: GovNu requests only the minimum scopes required: repository metadata (read), webhooks (write). We do not request code read permissions.
2.Ephemeral sandboxes: Code analysis runs in isolated, short-lived containers. No persistent storage. Containers are destroyed within seconds of scan completion.
3.BYOLLM option: Enterprise customers can use their own LLM infrastructure. In this mode, your code never touches our servers at all — analysis happens entirely within your chosen provider's environment.

Questions about security or privacy?

Our security team is here to help. Contact us for detailed technical documentation, penetration test reports, or compliance certifications.

Contact Security Team View Security Docs