Data protection
We encrypt data in transit and at rest, limit retention periods by default, and handle source code submitted for scanning on a temporary basis.
Security
How Scantonomous protects customer data
Effective date: April 6, 2026
This page provides a high-level overview of the security practices we use to operate the Scantonomous public marketing website and authenticated product website. It is intended to explain our approach in plain language and may evolve as the Service and our security program mature.
Access controls
Product access is tied to authenticated user accounts, account-level roles, and customer-managed user administration. The product supports multi-factor authentication for user accounts.
Secure operations
We use code review, automated checks, logging, monitoring, and incident-response practices to reduce risk and respond to issues.
1. Access Controls
Access to the product requires authenticated user accounts. Account administrators can manage invited users and roles within their organization, and the product supports multi-factor authentication for user accounts.
Internal access to production systems and customer data is limited to authorized personnel and service providers with a legitimate business need and appropriate confidentiality obligations.
2. Data Protection and Retention
We encrypt customer data in transit and at rest. Customer source code submitted for scanning is stored temporarily during scanning and is automatically deleted within 1 day. Scan results and artifacts are retained for up to 14 days, and logs are retained for 30 days, except where we need limited additional retention for legal, security, fraud-prevention, or billing recordkeeping purposes.
For additional detail about what information we collect and how long we retain it, see our Privacy Policy and Cookie Policy.
3. Secure Development and Operations
We use secure software-development and deployment practices intended to reduce the risk of introducing vulnerabilities. These practices include code review, automated checks before deployment, and security controls in our engineering workflows such as dependency review and secret-detection tooling.
We also use logging and monitoring to investigate failures, detect abuse, and support the response to suspected security events.
4. AI Data Handling
We do not send customer code or findings to Anthropic, OpenAI, or any other third-party AI provider. AI-powered analysis described in the Service runs within our own infrastructure.
5. Incident Response
When we identify a security issue, we work to investigate, contain, remediate, and restore normal operations. If an incident affects customer data, we will notify affected customers when required by law or contract.
6. Questions and Reporting
Questions about our security practices or suspected security issues can be sent to support@scantonomous.ai or through our contact page.
Privacy-specific requests, including access, correction, deletion, or export requests, should be sent to privacy@scantonomous.ai.