Security PracticesLast updated May 2026

How SecOpsium protects your code and data.

We built SecOpsium for teams that care about security, which means we need to be transparent about how we handle yours. No hand waving. No fine print. Here is exactly what happens to your code when you connect a repository.

Scope

Applies to the SecOpsium website, dashboard, APIs, and related communications.

Contact

Questions? Email hellosecopsium.com.

Product state

SecOpsium is actively evolving. We update these terms and notices as the product grows.

How We Handle Your Code

When you run a scan, SecOpsium clones your repository into an isolated, ephemeral environment. The scan runs, typically in under a few minutes, and the moment it completes, the entire clone is permanently deleted. This is not a policy, it is a hard engineering constraint that applies in every case, including crashes and timeouts.

Your source code exists on our infrastructure only for the duration of the scan. Once the scan finishes, successfully or not, the code is gone. There is no recycle bin, no deferred cleanup queue, and no backup.

  • Source code is never written to any persistent storage.
  • Scan results contain only metadata: file path, rule ID, and a short evidence snippet. No file contents are stored.
  • Git history is used during scanning but deleted with the repository clone. We do not retain or index commit history.

Authentication & Token Security

SecOpsium connects to GitHub through a GitHub App, the same integration model used by major platforms like Vercel, Netlify, and CircleCI. We never ask for your personal access token (PAT) and never store long lived credentials of any kind.

When a scan needs access to a private repository, a short lived installation token is generated through GitHub's official API. This token is scoped only to the repositories you have explicitly authorized and expires shortly after. Once the scan completes, the token is discarded. It is never saved to our database, never written to disk, and never included in any logs.

  • No personal access tokens (PATs) are ever requested or stored.
  • Access tokens are short lived, scoped to your authorized repos, and discarded after each scan.
  • No credentials of any kind are persisted in our systems.

What We Store and What We Don't

Transparency matters. Here is the complete picture of what lives in our database and what does not. You should never have to wonder whether your code is sitting on someone else's server.

Persisted by design

What we store

  • Scan findings, including rule ID, file path, evidence snippet, severity, and remediation guidance.
  • A reference identifier that allows us to request temporary access when you trigger a scan. This is not a token or credential.
  • Your account data, including email, securely hashed password, workspace metadata, and scan history.

Deliberately excluded

What we never retain

  • Source code, file contents, repository data, or Git history.
  • GitHub tokens, API keys, or any form of access credentials.
  • Raw scan output or intermediate processing artifacts.

Infrastructure & Isolation

The component that touches your code runs in a fully isolated environment, separate from the rest of the platform. It has no access to user accounts, billing data, or other customers' information.

All external traffic passes through a hardened proxy layer with industry standard security headers and rate limiting enforced at multiple levels. We follow the principle of least privilege throughout: each component in our system can only access what it strictly needs to perform its function.

  • Code scanning runs in an isolated environment with no access to user data.
  • Each scan uses its own temporary workspace, cleaned up immediately after completion.
  • Rate limiting is enforced at multiple layers to prevent abuse.
  • All internal communication is authenticated and encrypted.

Permissions & Access Control

When you connect GitHub, you are taken to GitHub's own installation screen where you choose exactly which repositories to grant access to. You can select all repositories or pick specific ones, the choice is entirely yours. SecOpsium can only see and scan the repositories you explicitly authorize.

Revoking access is straightforward. You can disconnect GitHub from the SecOpsium dashboard, or uninstall the GitHub App directly from your GitHub settings. Either way, access is immediately revoked and we can no longer access your repositories.

For team workspaces, only workspace owners and admins can connect or disconnect GitHub. Regular members can trigger scans on already connected repositories, but they cannot modify the integration itself.

  • You choose repos individually or grant access to all, your decision.
  • Revoke anytime from the SecOpsium dashboard or your GitHub settings.
  • Workspace owners and admins control GitHub linking, members can scan but not modify integrations.
  • Personal and workspace contexts are fully isolated, connecting GitHub to your personal account does not affect your team workspace, and vice versa.

Open Source & Transparency

We believe the best way to earn trust is to show our work. The SecOpsium CLI, the same scanning engine that powers the platform, is available as an open source tool. You can inspect the detection rules, run scans locally, and verify that our platform produces the same results.

We are building SecOpsium for founders and engineering teams who take security seriously but should not need a six figure budget or a dedicated security hire to achieve it. If you have questions about our security practices that are not answered here, reach out directly. We are happy to go deeper.

  • SecOpsium CLI is open source: github.com/secopsium/secopsium-cli
  • We welcome security related questions through the contact email listed on this page.

Need to reach us?

For privacy or terms questions, email hellosecopsium.com. We will do our best to respond promptly.