Security & Data Handling

When you submit a GitHub repository, we clone it into a sandboxed in-memory workspace, run the audit, and delete the clone immediately after the report is generated. We do not retain a copy of your source code on disk after the scan completes.

We persist only the audit output: the OWASP score, vulnerability findings (title, description, file path, fix suggestions), and attack-chain summaries. We do not store raw source code, full file contents, environment variables, or repository archives.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database backups are encrypted with separate keys. API credentials, GitHub installation tokens, and password-protected share links use bcrypt hashing.

Your code is never used to train our models, fine-tune prompts, or improve the product without explicit opt-in. We use third-party LLM providers (Google Gemini, OpenAI) under zero-data-retention API agreements — providers do not retain your code beyond the request lifetime.

You can delete any audit or codebase from your dashboard. Deletion is immediate and cascades to all associated findings, share links, and metadata. Account deletion purges all associated data within 30 days. To request a full export or deletion, email security@audioblend.app.

Audioblend runs on Cloudflare Workers (edge compute) and Supabase (Postgres, managed by AWS us-east-1). No customer code touches a long-lived VM — scans run in ephemeral edge workers and complete in under 60 seconds.

We publish an SBOM (Software Bill of Materials) of Audioblend's own dependencies on request. Our supply chain is monitored continuously by Dependabot and our own scanner.

Found a security issue in Audioblend? Email security@audioblend.app with details. We acknowledge within 24 hours and aim to remediate critical issues within 7 days. Coordinated disclosure preferred; we credit researchers in our public changelog.