Trust & Security

How ThornGrade protects your code and maintains the highest security standards

1Architecture Overview

Your Code
GitHub OAuth
(read-only)
Isolated Environment
temp workspace
Security Analysis
Semgrep + AI
Code Deleted
verified + attested

Core Security Promise

Your code enters an isolated environment, is analyzed for security vulnerabilities, and is cryptographically verified as deleted. We never store your source code.

2Data Handling

Isolation Process

  • Code is cloned into a temporary isolated workspace
  • Scan runs with a 120-second timeout
  • Process is sandboxed with memory limits

Deletion & Verification

  • After scan completion, all code is deleted
  • Deletion is cryptographically attested (SHA-256 hash chain)
  • Attestation artifact is available in your scan results

3What We Access

✅ We Read

  • • Source files (.js, .ts, .py, .rb, etc.)
  • • Configuration files (package.json, etc.)
  • • Public repository metadata
  • • Dependency manifests

❌ We Never Read

  • • .git history or commit messages
  • • Environment variables or secrets
  • • Database contents
  • • Private communication or issues

GitHub OAuth

We use GitHub OAuth with read-only access to repository contents.

  • • OAuth tokens are encrypted at rest using industry-standard encryption
  • • Tokens automatically expire and are regularly rotated
  • • You can revoke access at any time through GitHub settings

4Subprocessors

ServicePurposeData Shared
VercelHosting & InfrastructureNone (code never stored)
Anthropic ClaudeAI-powered security analysisCode snippets (in-transit, not stored)
GitHubOAuth & repository accessOAuth tokens (encrypted)
StripePayment processingPayment info only
OSV.devVulnerability dataPackage names only (no code)
SupabaseDatabase & metadataScan metadata (no code)

5Responsible Disclosure

Security Contact

Email: security@thorngrade.com

Response time: 48 hours

Our Commitment

We take security seriously. If you discover a vulnerability in ThornGrade, please report it to our security team. We'll work with you to understand and address the issue promptly.

6Compliance & Certifications

SOC

SOC 2 Type II

ThornGrade follows SOC 2 Type II methodology for our internal security controls, including access management, system monitoring, and data protection.

Note: We are not yet SOC 2 certified but are working toward certification. We believe in transparency about our compliance journey.

Security Practices

  • • Regular security audits and penetration testing
  • • Encrypted data transmission (TLS 1.3)
  • • Role-based access controls
  • • Continuous security monitoring
  • • Incident response procedures
  • • Regular security training for team members
  • • Third-party security assessments
  • • Vulnerability disclosure program

Questions About Security?

We're committed to transparency about our security practices. If you have questions about how we protect your data, we're here to help.

© 2024 ThornGrade. This page was last updated on 3/23/2026.