Free Tools Pricing
Log in Sign up →

Trust Center

Security is not a feature.
It is the architecture.

DevSafe encrypts your code before it leaves your machine. Your keys never touch our servers. Your backups live in your own storage.

Zero Knowledge
We can not read your code. Keys never leave your machine.
User-Owned Keys
You generate the key. You hold the key. We never see it.
Your Storage
Backups go to your Cloudflare R2 or S3 bucket. Not ours.
Git-Aware
Reads directly from git's internal structures. Never writes to your .git directory.
Verifiable
Every backup is verified restorable. Receipted proof, not promises.
No Training
Your code is never used to train models. Never shared. Never sold.

What we enforce

Security controls

Need to map these against your vendor questionnaire? Read the pre-filled SIG Lite with all 19 risk domains answered.

Encryption
  • AES-256 authenticated encryption
  • Unique key per repository, never transmitted
  • TLS 1.2 or higher to DevSafe infrastructure and storage providers.
  • Encryption at rest on all infrastructure (Supabase)
  • HTTPS enforced. No HTTP connections accepted.
  • Streaming encryption for large repos. AES-NI hardware acceleration.
Application Security
  • Encrypted snapshots from git's internal structures, not filesystem copy
  • Snapshot verification before encryption
  • Parameterized queries on all database access.
  • CORS locked to devsafe.com only
  • Rate limiting on all API endpoints
  • Input validation on every request
  • Security headers (HSTS, CSP, X-Frame-Options)
Access Control
  • User-generated encryption keys. Never transmitted or stored by DevSafe.
  • Email and password, magic link, or GitHub OAuth authentication. Optional TOTP multi-factor authentication. Passwords hashed by Supabase Auth, never accessible to DevSafe.
  • API key authentication for programmatic access
  • Principle of least privilege for all systems
  • Role-based access (Owner, Member) for team plans
Infrastructure
  • DDoS protection via Cloudflare
  • Web Application Firewall (WAF)
  • Bot detection and blocking
  • Immutable deployments with instant rollback
  • Private networking between services
  • Automated SSL certificate provisioning
Audit
  • Every backup receipted with cryptographic verification proof
  • Tamper-evident audit trail on all operations
  • Backup integrity verified on restore
  • Export all data anytime. No lock-in. Open backup format.
  • Restore with standard tools: decrypt with your key, clone with git
Organizational
  • All systems use environment variables for secrets
  • No customer data used for training. Ever.
  • No third-party analytics tracking
  • Incident response plan documented
  • Sub-processor list published and maintained
  • GDPR Data Processing Agreement available

Backup verification

Every backup DevSafe creates is cryptographically verified restorable. Not "probably fine." Provably intact.

AES-256
Encryption
GCM
Authentication
Isolated
Key Isolation
Verified
Integrity

After upload, DevSafe checks the GCM authentication tag and confirms the bundle is structurally valid and restorable. The receipt records that check.

The backup format is documented and open. You can restore without DevSafe. Decrypt with your key and restore with standard git tools. No vendor required.

Compliance status

GDPR Aligned
Privacy by design. Zero-knowledge encryption means we can not access your code or backups even if compelled. DPA available. Data subject rights supported. EU hosting option via R2.
CCPA Aligned
No sale of personal data. Consumer deletion supported. Privacy policy addresses CCPA requirements.
SOC 2 Type II Roadmap
Controls implemented. Compliance platform evaluation in progress. Observation period target: 2027.
HIPAA In Prep
Zero-knowledge architecture addresses several HIPAA technical safeguards. BAA template in preparation. All plans use user-owned storage.
ISO 27001 Planned
Targeted for enterprise expansion. Significant overlap with SOC 2 controls already in place.

Sub-processors

These are the third-party services that may process data on your behalf when you use DevSafe. This list is maintained per GDPR Article 28. We notify customers of changes.

ProviderPurposeData ProcessedLocation
Cloudflare Website hosting, DNS, DDoS protection, WAF, CDN, SSL/TLS Request metadata (IP, headers). Not query content, no PII. Global edge
Supabase User authentication, account database Email, usage metrics US (EU option)
Stripe Payment processing Payment card details (DevSafe never sees card numbers) US
Resend Transactional email delivery Email address, email content US

Your data stays yours

Your code and backups are not processed by any sub-processor. Encrypted backups go directly from your machine to your own storage bucket. DevSafe never has access to your encryption keys or your backup contents.

How we handle your data

We never see your code
Your encryption key is generated locally and never transmitted. Backups are encrypted before leaving your machine and sent directly to your own cloud storage. DevSafe operates on encrypted blobs we cannot decrypt.
We never train on your data
Your code, queries, and backup contents are yours. They are never used to improve models, never shared with third parties, never sold. This is architectural, not policy. We cannot train on what we cannot see.
Export everything, anytime
The backup format is documented and open. Your backups are AES-256 encrypted snapshots. Decrypt with your key, restore with standard git tools. No DevSafe required. No lock-in.
Delete everything on request
Request deletion of your account and all associated data. We comply within 30 days per GDPR Article 17. Your encrypted backups in your own storage remain yours to keep or delete.

Questions about security?

We respond within 24 hours.

For security-specific inquiries, responsible disclosure, or compliance document requests, contact the security team.

Newsletter

Stay ahead of threats

Research, threat intel, and tutorials. We only publish when we have something worth your time.

No spam. Unsubscribe anytime.

What topics interest you?

Threats
Tutorials
Engineering
AI Security
Product
Everything

Skip this step