Security

• All services hosted on Railway with automated deployments and isolated containers.
• TLS 1.3 enforced on all endpoints — no unencrypted traffic accepted.
• Database connections encrypted in transit and at rest.
• Environment variables and secrets managed through secure vault, never committed to code.

• Passwords hashed with bcrypt (cost factor 12) — never stored in plaintext.
• JWT-based authentication with short-lived tokens and secure httpOnly cookies.
• License keys generated using cryptographically secure random generators (128-bit entropy).
• Email verification required for all new accounts.
• Rate limiting on authentication endpoints to prevent brute-force attacks.

• Self-Hosted users (Free and Pro): scan data never leaves your machine. All processing is local via npx.
• Cloud and Team tier users: scan results transmitted over TLS and stored encrypted.
• We never access, read, or store your source code. Scanners analyze code locally or in isolated containers.
• Scan results are retained for 90 days by default (configurable on Team plans).
• Full data deletion available upon account termination.

• All 8 scanners are built on trusted open-source engines (Semgrep, Trivy, Gitleaks, Checkov, and more).
• Scanners run in isolated, ephemeral containers with no network access to your infrastructure.
• Scanner versions are pinned and updated on a regular release cycle after security review.
• MCP server validates license keys and enforces plan-level feature gating on every request.

• All payments processed by Stripe — a PCI DSS Level 1 certified payment processor.
• We never see, store, or process credit card numbers or bank details.
• Webhook signatures verified on every Stripe event to prevent tampering.

Found a security vulnerability in SafeWeave? We appreciate responsible disclosure. Please email support@safeweave.dev with details and we will respond within 48 hours. Do not publicly disclose vulnerabilities before we have had a chance to address them.