Trust centre
Current facts about how we handle code and data.
No aspirational badges. This page lists what is true today: how Sebastion processes code, which providers help run it and how to reach us about security.
Compliance posture
Status
SOC 2 / ISO 27001Not certified today
DPAAvailable on request
HIPAA / PCINot in scope
Vulnerability disclosurePublished policy + security.txt
Hosting and data handling
Where + how
Application hostingManaged cloud hosting
DNS and edge securityCloudflare
Encryption in transitHTTPS / TLS
Encryption at restManaged provider encryption for persisted data
- Source code is processed for PR review and is not used to train Foundation Machines models.
- We retain findings and operational metadata needed to show audit history, support suppressions and debug product issues.
- We use provider controls intended to prevent model vendors training on customer prompts and responses.
Sub-processors
These providers may process customer data as part of installing, authenticating, running audits or sending product email.
| Vendor | Purpose | Region |
|---|---|---|
| GitHub | GitHub App install, repository metadata and OAuth | Global |
| Anthropic | Frontier model inference | US |
| OpenAI | Frontier model inference | US |
| OpenRouter | Model routing fallback | US |
| Vercel | Application hosting | Global |
| Cloudflare | DNS, edge security and email routing | Global |
| Firebase Auth (Google) | Sign-in and identity | Global |
| Resend | Transactional email | Global |
Incident history
We have not had a reportable security incident to date. If that changes, we will publish a post-mortem for incidents that affect customer data or availability.