Skip to content
Français Get started

Security at Attestely

Last updated:

Attestely sells security software. We owe you transparency about how we handle ours. This page documents our infrastructure, our data practices, and our disclosure policy. It is updated as the product evolves — the last-updated date above is authoritative.

1. Infrastructure

  • Primary data center: Supabase EU (Paris, eu-west-3) for Postgres.
  • Edge workers: Cloudflare Workers, EU edge with Paris as primary egress.
  • Object storage: Cloudflare R2, EU region — used for short-lived scan artefacts only.
  • Transactional email: Resend, EU region.
  • LLM provider: Anthropic Claude, US-hosted, configured with no-training data policy. We are working towards a Zero Data Retention contract before general availability.
  • HTTPS everywhere with HSTS preload, TLS 1.2+ only, strong cipher suites.
  • Secrets management: Cloudflare Workers environment bindings and Wrangler secrets. No secrets in source code.

2. How we handle your code

  • Scanner runs happen in your own GitHub Actions environment when possible (the open-source CLI). Only findings and small surrounding context are sent to our backend.
  • Code snippets sent to the LLM provider are processed in-flight and not retained on our side beyond the time required to produce a finding's analysis. Raw blobs are purged within 30 days.
  • Findings themselves are stored in the EU and kept until you delete them or your account.
  • We never train AI or ML models on your code. Our LLM provider operates under their no-training data policy on our keys.

3. The open-source CLI

The Attestely CLI is released under the GNU AGPLv3. The rationale is documented internally in ADR-007: we want users to be able to audit the scanner, run it offline, and self-host it for free, while keeping the cloud backend proprietary. If you need to embed the scanner in a commercial product where AGPL is incompatible, contact us at hello@attestely.com to discuss a commercial license.

4. Responsible disclosure

If you believe you have found a security vulnerability in Attestely (marketing site, dashboard, API, CLI, GitHub App), please report it to security@attestely.com.

For sensitive reports, you may encrypt the message with our PGP key (coming soon — to be published at /.well-known/security.txt) .

4.1 — What we promise

  • Acknowledge your report within 48 hours
  • Provide a status update within 7 days
  • Coordinate a disclosure timeline of 14 days for critical issues, 30–90 days for non-critical issues
  • Credit you publicly in the “Hall of fame” below, unless you prefer to remain anonymous
  • Not take legal action against you for good-faith research conducted under this policy

4.2 — What we ask of you

  • Do not access, modify, or destroy data that is not yours
  • Do not run automated scans against our infrastructure beyond what is needed to demonstrate the issue
  • Do not disclose publicly before we have had a reasonable chance to remediate (see windows above)
  • Do not extort us — that is not in scope of responsible disclosure

4.3 — Scope

In scope:

  • attestely.com, app.attestely.com, api.attestely.com
  • The Attestely GitHub App
  • The getAttestely/cli open-source repository

Out of scope:

  • Social engineering attacks against our team or our users
  • Physical attacks against our infrastructure providers
  • Denial-of-service attacks of any volume
  • Issues in third-party services we use (report those directly to the provider)
  • Missing security headers without an associated exploit

5. CLI security policy

The CLI repository has its own SECURITY.md with version support, supported platforms, and reproducible-build instructions: github.com/getAttestely/cli/blob/main/SECURITY.md.

6. Hall of fame

Researchers who help us responsibly will be listed here, with their consent.

The hall of fame is empty for now — be the first.

7. Contact

Security: security@attestely.com
General: hello@attestely.com
Privacy: privacy@attestely.com