SECURITY

Security Model

How Glyphzero Labs products are designed, what data we handle, and how to report vulnerabilities.

Architecture security

Glyphzero Labs products are built with a security-first architecture from the ground up. Key design decisions:

  • No secrets in environment variables. All credentials and API tokens are fetched at runtime via secure secret injection. No secret ever touches an environment variable or a Kubernetes ConfigMap.
  • Append-only audit log. All audit records are written to an append-only data store with a restricted write-only role. No application code path can update or delete audit records. Tampering requires superuser access, which is monitored and alerted.
  • Cryptographic request verification. All incoming requests are cryptographically verified before processing. Requests that fail verification are rejected with HTTP 401 before any payload parsing occurs.
  • No persistent storage of code. Diff payloads are processed in memory and written to object storage only for the duration of the scan job. Diffs are deleted from object storage after 90 days (configurable per organisation).
  • Network isolation. All inter-service communication runs on an internal message bus. No service exposes an HTTP port to the cluster network except the API gateway. All external traffic terminates at the gateway with TLS.

Data handling

What we process

Code Corgi processes pull request diff payloads — the changed lines of code in each pull request. We do not process your entire repository, only the lines changed in a given PR.

What we store

  • Diff payloads: stored in object storage (MinIO / S3-compatible), encrypted at rest, deleted after 90 days
  • Scan findings: stored in an encrypted database, retained for the duration of your subscription
  • Audit events: append-only log of all scan jobs, findings, and policy changes
  • Webhook metadata: repository name, PR number, commit SHA — no code content

What we never store

  • Your full repository contents
  • Git history beyond the current PR diff
  • Developer credentials or authentication tokens
  • Personal data beyond the email address used to register

Data residency

Enterprise customers can specify a data residency region at account creation. Object storage and database instances are provisioned in that region. Available regions: US (default), EU, APAC.

Responsible disclosure

We take security vulnerabilities seriously. If you discover a vulnerability in any Glyphzero Labs product, please report it responsibly:

  • Email: [email protected]
  • Response time: We will acknowledge your report within 48 hours
  • Disclosure window: We ask for 90 days to remediate before public disclosure
  • Scope: All Glyphzero Labs products — Code Corgi, API Akita Phantom, Calendar Mastiffs, SURADAR, and related APIs and infrastructure

Please do not use automated scanners against production infrastructure. We maintain a staging environment available for security researchers — contact us for access.

Penetration testing

Enterprise customers may conduct penetration tests against their own Glyphzero Labs deployment. Please notify us at [email protected] before beginning testing so we can distinguish your activity from genuine threats.

Compliance

Glyphzero Labs products are designed to support SOC2 Type II compliance for our customers. Key controls:

  • Append-only audit trail for all scan events and policy changes
  • Role-based access control with the principle of least privilege
  • Encrypted data at rest and in transit
  • Configurable data retention policies
  • Single sign-on via SAML 2.0 / OIDC (Enterprise tier)
PC

Questions about security?

Our security team responds to all inquiries within 48 hours.

[email protected]