Security at CrossGraph.
We analyze source code from your repos. That's a lot of trust. Here's how we earn and keep it.
Source code is never persisted.
When the analyzer runs, a Fly Machine clones your repo into an ephemeral Firecracker VM, parses it in-memory, and the VM is destroyed on job completion. Only graph metadata — service names, endpoint paths, file + line references, taint labels — leaves the boundary. Source snippets shown in PR comments are fetched JIT from GitHub at display time using your installation token, never cached server-side.
This is stated explicitly in our Terms of Service and repeated during install.
Tenant isolation.
Every tenant-scoped table in our Postgres has FORCE ROW LEVEL SECURITY plus a current_tenant_matches() helper that fails closed when the session GUC is missing. A connection pooler that forgot to set the tenant context cannot read any row.
That's verified by an integration test in our CI that provisions a non-superuser role in PGlite and confirms cross-tenant reads are blocked, cross-tenant INSERTs are refused by WITH CHECK, and cleared GUC hides every row.
Encryption.
- At rest: R2 (AES-256-GCM), Supabase Postgres (AES-256), Fly volumes (AES-256).
- In transit: TLS 1.2+ only; HSTS preload on every public domain.
- Webhooks: GitHub + Stripe webhook payloads are HMAC-verified with constant-time comparison.
- GitHub App JWT: RS256-signed, 10-minute lifetime, 60-second clock-skew tolerance.
Compliance roadmap.
| Attestation | Status | Target |
|---|---|---|
| SOC 2 Type 1 | Plan live, controls in place | Report Q3 2026 |
| SOC 2 Type 2 | Observation window starts post-Type-1 | Q4 2026 / Q1 2027 |
| HIPAA (BAA) | Enterprise tier, on request | Q1 2027 |
| ISO 27001 | Roadmap | 2027 |
| GDPR DPA | On request | Available now |
| FedRAMP | Not planned for 2026 | — |
Reporting a vulnerability.
- Email: security@crossgraph.dev
- Or use GitHub's private vulnerability reporting on our repo.
- Acknowledgement within 72 hours. Severity assessment within 7 days.
Good-faith research is welcome. Full safe-harbor policy in our public SECURITY.md.
What happens on day one.
When you install the GitHub App:
- We receive an
installationwebhook from GitHub. - We create a tenant row with your GitHub org ID — nothing else.
- We mint an OTel ingest bearer token (bcrypt-hashed at rest; shown once).
- We analyze the repos you opt into. Repos you don't opt in are never cloned.
- No data leaves our infrastructure for third parties — ever.
Sub-processors.
| Vendor | Data | SOC 2 |
|---|---|---|
| Cloudflare (Workers, R2) | Webhook payloads, OTel traces | Type 2 |
| Supabase (Postgres) | Graph metadata, findings | Type 2 |
| Fly.io (Machines) | Transient source clone | Type 2 |
| GitHub | Repo access via App token | Type 2 |
| Stripe | Billing data only | Type 2 |
| Honeycomb | Our own OTel telemetry | Type 2 |