Security
How we protect your code and your data.
Sebastion runs across GitHub and GitLab SaaS integrations, processes pull and merge request code for review, and uses managed cloud controls for encryption, identity and operations. Looking to report a bug? See vulnerability disclosure.
Data handling
- Source code is processed for PR/MR review and is not used to train Foundation Machines models.
- Findings and operational metadata are retained so the product can show audit history, support suppressions and debug product issues.
- We use provider controls intended to prevent model vendors training on customer prompts and responses.
Encryption and hosting
- Traffic is served over HTTPS / TLS.
- Persisted production data uses managed provider encryption at rest.
- Cloudflare provides DNS and edge security; application hosting is managed cloud.
- Secrets live in provider-managed encrypted stores. Never in source code.
Access
- Sign-in uses GitHub OAuth. We never see or store your GitHub password.
- Source-host connectivity uses GitHub App installation auth and GitLab SaaS integration permissions. We never see or store your provider passwords.
- Operator access is limited to the small Foundation Machines team, requires MFA where provider controls support it, and is scoped to the task being performed.
Reporting a vulnerability
Our full responsible disclosure policy (scope, SLA, safe harbour, coordinated disclosure) is at /vulnerability-disclosure. Scanners can also pull our security.txt.
Current compliance posture and sub-processors live at /trust.