Trust & security

How we handle your code.

You're trusting a security tool with your source code — here is exactly what happens to it, and what never happens to it.

Your code is deleted after every scan

Each scan clones or unzips your project into its own temporary folder on our server. When the scan finishes — or fails — that folder is deleted. Deletion runs unconditionally at the end of every scan; there is no copy of your source code left behind, and no human reads it.

Secrets are redacted before anything is kept

If the scan finds an API key or password, the report stores where it was found and what kind of key it is — never the value. Findings are stored with the secret replaced by [REDACTED], and secret values are never written to logs.

The AI explainer never sees your source code

Plain-English explanations are generated from a short, redacted summary of each finding (rule name, file path, redacted description) — not from your code. Your project is never used to train anything.

Reports auto-delete after 30 days

The only thing we keep is the findings report behind your share link, so you can send it to a developer or re-check your fixes. Report links use unguessable random IDs and expire after 30 days, then the report is deleted from disk.

GitHub tokens are used once and forgotten

A token you provide for a private repo is used for that single clone request and is never stored, logged, or reused. The optional “is this leaked key still live?” check runs only when you tick the box, makes one read-only API call, and never stores the key.

Everything travels encrypted

Uploads, scans, and report links are HTTPS-only. Scans run on a single server (Fly.io, London region) — your code is processed in one place, not fanned out to third parties.

What we never do

  • We never sell, share, or train on your code or your scan results.
  • We never call external services with a leaked key unless you explicitly opt in — and then only one read-only call to check if it is still active.
  • We never require an account, and this site sets no advertising or analytics cookies.
  • We never keep your source code after the scan ends — only the redacted findings report, and only for 30 days.

Questions or a security concern?

Auditly AI is in beta. If anything here is unclear, or you believe you have found a security issue in Auditly AI itself, email habdikadir99@gmail.com and you will get a reply from the person who built it.

For what we collect and how long we keep it, see our Privacy Policy.