Security

How StackProof handles your code and credentials

This page describes what access is requested, what is stored, how it is protected, and what is deleted when.

Repository access

How StackProof reads your repos

StackProof uses GitHub OAuth with the read:user user:email repo scope. The repo scope grants read-only access to your repositories (public and private). StackProof uses this access only to fetch the repos you explicitly select for a scan.

If you prefer tighter scope, you can connect with a GitHub Personal Access Token restricted to specific repositories and read-only permissions. The OAuth flow is the default because most users find it faster to set up.

After a scan completes, the cloned source files are deleted from the processing environment. StackProof does not maintain a persistent copy of your code.

Token storage

Encryption at rest

Credentials stored in the database are encrypted with AES-256-GCM using a server-side secret. They are only decrypted at scan runtime, are never logged, and are never returned to the client.

GitHub OAuth tokenAES-256-GCM encrypted in PostgreSQL (src/lib/crypto.ts)
BYOK API keys (Anthropic, Google, OpenAI)AES-256-GCM encrypted in PostgreSQL
Scan reports (when retention enabled)AES-256-GCM encrypted in PostgreSQL
Session tokensHttpOnly cookie, managed by NextAuth
Payment informationHandled entirely by Stripe. StackProof never sees card numbers.

Data storage

What is and is not stored

Stored

  • Your email address and GitHub username (authentication only)
  • Encrypted GitHub OAuth access token (used to call GitHub API on your behalf)
  • Scan reports and findings (user-configurable retention; deletable from dashboard)
  • Encrypted BYOK API keys if you are on the Lifetime plan
  • Scan quota counters and billing state

Not stored

  • Source code files (deleted after scan completes)
  • Payment card numbers (Stripe handles payment processing)
  • Salary data or personal contact information beyond email
  • Interview transcripts older than 30 days (soft-deleted)

AI output verification

Guarding against AI hallucination

AI model outputs are treated as untrusted until verified. Three defensive layers run before any finding reaches the database or your report.

  1. 01

    Bailiff

    Each finding must cite a specific file path and line range from the repository snapshot. Findings without verifiable citations are rejected or downgraded. Fuzzy ±5 line tolerance handles minor model drift on exact line numbers.

  2. 02

    Citation verification

    Cited file paths are checked against the actual snapshot. Paths that do not exist in the snapshot fail verification.

  3. 03

    Prose bailiff

    Every claim in the prose report must trace back to a finding in the structured skeleton. Ungrounded prose claims are removed before the report is written to the database.

The scan report includes a verification rate (citations verified vs. total AI checks run) so you can inspect evidence quality directly.

Access control

Tenant isolation and rate limiting

Every API route that returns user-scoped data passes through an ownership check that compares the resource's userId against the authenticated session userId. A mismatch returns HTTP 403. This check covers scan results, pipeline items, interview sessions, BYOK keys, preferences, and billing state.

Rate limiting runs at the Vercel Edge layer using a sliding-window algorithm. Authentication routes are limited to 10 requests per minute. Scan endpoints have per-tier limits. All limits apply in production regardless of IP.

Concurrent scan abuse is prevented with a Redis deduplication lock that blocks a second scan on the same repository while the first is running.

Payments

Stripe handles all payment data

StackProof uses Stripe for all payment processing. Card numbers, bank details, and payment tokens never touch StackProof's servers. Stripe webhooks are verified with HMAC signatures and an idempotency guard prevents duplicate event processing.

Data deletion

Deleting your data

You can delete individual scan reports from your dashboard at any time. Account deletion removes all reports and account data within 30 days. Interview transcripts are soft-deleted after 30 days regardless of account status.

To request data deletion, contact hello@stackproof.app. You do not need an active account to make a deletion request.

Reporting a vulnerability

If you find a security issue, email hello@stackproof.app with a description and reproduction steps. Do not open a public issue. We acknowledge reports within 2 business days.