Security
How StackProof handles your code and credentials
This page describes what access is requested, what is stored, how it is protected, and what is deleted when.
Repository access
How StackProof reads your repos
StackProof uses GitHub OAuth with the read:user user:email repo scope. The repo scope grants read-only access to your repositories (public and private). StackProof uses this access only to fetch the repos you explicitly select for a scan.
If you prefer tighter scope, you can connect with a GitHub Personal Access Token restricted to specific repositories and read-only permissions. The OAuth flow is the default because most users find it faster to set up.
After a scan completes, the cloned source files are deleted from the processing environment. StackProof does not maintain a persistent copy of your code.
Token storage
Encryption at rest
Credentials stored in the database are encrypted with AES-256-GCM using a server-side secret. They are only decrypted at scan runtime, are never logged, and are never returned to the client.
Data storage
What is and is not stored
Stored
- Your email address and GitHub username (authentication only)
- Encrypted GitHub OAuth access token (used to call GitHub API on your behalf)
- Scan reports and findings (user-configurable retention; deletable from dashboard)
- Encrypted BYOK API keys if you are on the Lifetime plan
- Scan quota counters and billing state
Not stored
- Source code files (deleted after scan completes)
- Payment card numbers (Stripe handles payment processing)
- Salary data or personal contact information beyond email
- Interview transcripts older than 30 days (soft-deleted)
AI output verification
Guarding against AI hallucination
AI model outputs are treated as untrusted until verified. Three defensive layers run before any finding reaches the database or your report.
- 01
Bailiff
Each finding must cite a specific file path and line range from the repository snapshot. Findings without verifiable citations are rejected or downgraded. Fuzzy ±5 line tolerance handles minor model drift on exact line numbers.
- 02
Citation verification
Cited file paths are checked against the actual snapshot. Paths that do not exist in the snapshot fail verification.
- 03
Prose bailiff
Every claim in the prose report must trace back to a finding in the structured skeleton. Ungrounded prose claims are removed before the report is written to the database.
The scan report includes a verification rate (citations verified vs. total AI checks run) so you can inspect evidence quality directly.
Access control
Tenant isolation and rate limiting
Every API route that returns user-scoped data passes through an ownership check that compares the resource's userId against the authenticated session userId. A mismatch returns HTTP 403. This check covers scan results, pipeline items, interview sessions, BYOK keys, preferences, and billing state.
Rate limiting runs at the Vercel Edge layer using a sliding-window algorithm. Authentication routes are limited to 10 requests per minute. Scan endpoints have per-tier limits. All limits apply in production regardless of IP.
Concurrent scan abuse is prevented with a Redis deduplication lock that blocks a second scan on the same repository while the first is running.
Payments
Stripe handles all payment data
StackProof uses Stripe for all payment processing. Card numbers, bank details, and payment tokens never touch StackProof's servers. Stripe webhooks are verified with HMAC signatures and an idempotency guard prevents duplicate event processing.
Data deletion
Deleting your data
You can delete individual scan reports from your dashboard at any time. Account deletion removes all reports and account data within 30 days. Interview transcripts are soft-deleted after 30 days regardless of account status.
To request data deletion, contact hello@stackproof.app. You do not need an active account to make a deletion request.
Reporting a vulnerability
If you find a security issue, email hello@stackproof.app with a description and reproduction steps. Do not open a public issue. We acknowledge reports within 2 business days.