Architecture first. Certifications later.
We're early. There's no SOC 2 report to wave around yet. What we do have is an architecture that doesn't require trusting us, and six facts that are verifiable today.
Each pull request runs in its own microVM
Code analysis runs in Firecracker microVMs on Fly Machines. That's the same hardware-virtualization technology that backs AWS Lambda. Each pull request gets its own VM with its own kernel and memory, and the VM is destroyed when the analysis finishes. No shared state between reviews.
AI inference runs through Fireworks AI
Fireworks's privacy policy commits to no training on customer prompts (opt-in only) and zero data retention by default. Prompts live in volatile memory for the duration of the request and nothing else. Fireworks is SOC 2 Type II and HIPAA compliant. They're the only inference provider we use today.
Source stays scoped to the review
We store the diff inside your review document so the IDE can render it back to you. That document is scoped to your organisation. No analytics replicas, no archives, no replication to anywhere else.
EU-hosted control plane
Application data lives in the EU. Inference goes through Fireworks (US-domiciled) under a data processing agreement. We disclose every sub-processor we touch.
Hash-chained audit log
Every comment, every resolution, every reviewer assignment chains into a per-organisation SHA-256 log. Append-only, tamper-evident, and exportable any time.
GDPR-aware by default
Per-organisation data isolation. Standard DPA available on request. Right to erasure is honoured: we can delete a review's data, or an entire organisation, on request.