Source Trace
Sign In

Security at Source Trace

Your code stays on your machine. We take security seriously.

Code Privacy

Your source code never leaves your local machine. We only collect metadata and statistics.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256).

Transparency

Our open-source tools allow working with AI Blame data in any Git repository.

Responsible Disclosure

Found a security issue? Contact us for a prompt response.

What We Collect

✓ Collected:
  • Line counts (added, removed, survived)
  • Commit timestamps and limited metadata
  • AI agent and model names and versions
  • File extensions and name hashes
✗ NOT Collected:
  • Source code or file contents
  • Commit messages
  • Plaintext file names and repository URLs
  • Personally identifiable information in code

Local-First Architecture

Personal Plan: Your code never leaves your machine. AI Blame is computed locally and supports optional Git notes storage in your repository. Model names and coding stats (like line counts, commit time, and file types) are shared with Source Trace, so you can use optional online account on multiple devices, and to power AI Model Rankings.

Team Plans: Optional cloud sync to power new team features (more details coming soon). Even with cloud sync enabled, your source code never leaves your machine.

This architecture ensures that your code remains completely private, while enabling AI Git Blame, and model rankings. Note: when using SaaS AI providers, your code is shared with them during prompting and inference, but Source Trace is not affiliated with any AI vendors.

Encryption Standards

In Transit: All data transmitted to our servers uses TLS 1.3 encryption (HTTPS), the latest industry standard for secure communication.

At Rest: Cloud-stored data is encrypted using AES-256, the same standard used by financial institutions and government agencies.

One-Way Hashing: Sensitive identifiers like repository URLs are hashed using SHA-256 before transmission, making them cryptographically irreversible.

Security Incident Response

We take security incidents seriously and have a documented incident response process:

  • Detection: Continuous monitoring and alerting systems
  • Assessment: Immediate investigation of potential security issues
  • Containment: Swift action to contain and mitigate any breach
  • Notification: Prompt notification to affected users if a breach occurs
  • Remediation: Implementation of fixes and improvements
  • Review: Post-incident analysis and documentation

If you discover a security vulnerability, please report it to us immediately. We will respond promptly and work with you to address the issue.

Security Best Practices

  • Regular security audits and vulnerability assessments
  • Principle of least privilege for system access
  • Secure coding practices and code review processes
  • Dependency scanning and automated security updates
  • Access logging and monitoring
  • Secure credential management and rotation
  • Regular backups with encryption
  • Incident response drills and preparedness

Third-Party Services

We carefully vet all third-party services we use for hosting, payments, and infrastructure:

  • All vendors must meet industry-standard security certifications
  • Data processing agreements are in place with all vendors
  • Regular security reviews of third-party integrations
  • Minimal data sharing: only what's necessary for service operation

We are not affiliated with AI model providers or cloud infrastructure companies, ensuring no conflicts of interest in how your data is handled.

Responsible Disclosure Program

Security researchers: We welcome responsible disclosure of security vulnerabilities.

How to Report:

  • Contact us with details of the vulnerability
  • Include steps to reproduce, impact assessment, and any proof-of-concept code
  • Allow us reasonable time to investigate and address the issue before public disclosure
  • Do not access, modify, or delete user data beyond what's necessary to demonstrate the vulnerability

Our Commitment:

  • We will respond to your report within 48 hours
  • We will keep you informed of our progress
  • We will publicly acknowledge your responsible disclosure (if desired)
  • We will not pursue legal action against researchers who follow these guidelines

Compliance & Certifications

GDPR Compliance: We comply with EU General Data Protection Regulation requirements, including data minimization, user rights, and international data transfer protections.

CCPA Compliance: We comply with California Consumer Privacy Act requirements for California residents.

SOC 2: We are working toward SOC 2 Type II certification for enterprise customers.

Questions about our security practices?

Contact Security Team