Security

Your code, never stored.

Prev-ent is a security product. We act like one. Here's exactly what happens to your code, in plain English.

What we do

When you click Scan, we:

  1. Use the GitHub access token you granted to list the files in your repo
  2. Fetch the source of scannable files (.js, .ts, .py, .go, .rb, .php, etc.)
  3. Send those files in a single API call to Anthropic Claude with our security analysis prompt
  4. Parse Claude's response and save only the structured findings (file path, line numbers, the specific snippet flagged as vulnerable, plus our proposed fix) to our database
  5. Show you the report

What we don't do

  • Store your full repo source code anywhere
  • Train any AI model on your code (Anthropic's API policy: no training on API data)
  • Share your code with third parties
  • Keep file contents in our database — they exist only in memory during the scan and are discarded immediately after
  • Make changes to your repo without explicit consent (the "Open pull request" button asks you first)
  • Use your code for anything except the scan you requested

What we DO store, exactly

Inspect our schema yourself — it's open. Per scan we save:

  • · Scan: repo name, branch, file count, timestamps
  • · Vulnerability: file path + line numbers + the ~5-20 line snippet Claude flagged + our proposed fix + severity

The snippets we save are exactly the same code you'll see in the report — never the full file, never anything Claude didn't flag.

Where the data lives

  • Authentication — GitHub OAuth, token stored encrypted in our Postgres database (Vercel-managed). Used only to call the GitHub API on your behalf.
  • Database — Vercel Postgres, encrypted at rest (AES-256), encrypted in transit (TLS 1.3). Daily automated backups.
  • Hosting — Vercel. All traffic over HTTPS only (HSTS enforced for 1 year, including subdomains).
  • AI analysis — Anthropic Claude API. Per Anthropic's policy, API requests are not used to train models and are kept only for abuse review (max 30 days).

How to revoke access

  1. Go to github.com/settings/applications
  2. Find Prev-ent in the list
  3. Click Revoke

That instantly invalidates our access. We can no longer read or write anything in your account.

The technical defenses we run

  • · HTTPS-only with HSTS preload (max-age=31536000)
  • · Content Security Policy locked to known sources
  • · X-Frame-Options: DENY (no clickjacking)
  • · X-Content-Type-Options: nosniff
  • · All database queries parameterized via Prisma (no raw SQL anywhere)
  • · Per-user rate limiting on scan + apply-fix endpoints
  • · Prompt-injection mitigation: untrusted code is wrapped in explicit boundary markers and Claude is instructed to treat embedded instructions as findings, not commands
  • · All sensitive operations require an active session; every API call verifies scan.userId === session.user.id

Found a security issue?

Email us at security@prev-ent.com. We respond within 24 hours and credit responsible disclosure.

See the full privacy policy →