Security
We take security seriously. Here's how we protect your data and maintain your trust.
Last updated: January 7, 2026
Security Measures
Row-Level Security (RLS)
Every database table is protected with PostgreSQL Row-Level Security policies. Users can only access their own data - scans, API keys, and profile information are isolated at the database level.
Secure API Key Storage
API keys are hashed using SHA-256 before storage. The plaintext key is shown only once at creation and never stored. We use timing-safe comparison to prevent timing attacks.
No Code Retention
Repository code is downloaded to a temporary directory, analyzed, and immediately deleted after the scan completes. During analysis, relevant code snippets are sent to Anthropic's Claude API for security assessment. We never store your source code permanently.
Encryption in Transit
All connections use TLS 1.3 encryption. HTTPS is enforced on all endpoints with HSTS headers. API communications are encrypted end-to-end.
PCI-Compliant Payments
Payments are processed by Stripe. We never see or store your credit card information - it goes directly to Stripe. See Stripe's security page for their certifications.
Minimal Data Collection
We only collect data necessary to provide the service: your email, scan results, and usage metrics. No tracking pixels, no selling data to third parties.
Application Security Controls
Technical controls implemented in our application code.
HTTP Security Headers
All responses include security headers: X-Frame-Options (clickjacking protection), X-Content-Type-Options (MIME sniffing prevention), strict Referrer-Policy, and Permissions-Policy restricting browser features.
Authentication Required
All API endpoints that access user data require authentication via session cookie or API key. Scan results, PDF reports, and email features enforce ownership verification.
Input Validation
User inputs are validated and sanitized. URLs are parsed and validated before use. Email addresses are validated against RFC standards. File uploads are type-checked and size-limited.
Secure Random Generation
Scan IDs and other identifiers use cryptographically secure random generation (Node.js crypto module) rather than predictable sequences.
Redirect Validation
Post-authentication and payment redirects are validated against an allowlist of trusted domains to prevent open redirect vulnerabilities.
Error Handling
API error responses return generic messages to users. Detailed error information is logged server-side only, preventing information disclosure.
Infrastructure
We use trusted, enterprise-grade infrastructure providers with strong security track records.
Note: Provider certifications and security practices are subject to change. See each provider's security documentation for current status.
| Provider | Role | Security Details | Region |
|---|---|---|---|
| Vercel | Application Hosting | Serverless deployment with edge network, automatic HTTPS, DDoS protection | Global edge network |
| Supabase | Database & Auth | Managed PostgreSQL with RLS. See Supabase security. | US East (Virginia) |
| Stripe | Payment Processing | Handles all payment data. See Stripe security. | US |
| Anthropic Claude | AI Analysis | Code snippets sent for analysis. See Anthropic's privacy policy. | US |
Data Handling & Retention
We believe in minimal data retention. Here's exactly what we store and for how long.
| Data Type | Retention | Storage | Access |
|---|---|---|---|
| Source Code | Deleted immediately after scan | Temporary filesystem; snippets sent to Claude API | Automated analysis only |
| Scan Results | Until account deletion | Encrypted database | Only you (RLS enforced) |
| API Keys | Until revoked | SHA-256 hashed | Only you |
| Payment Info | Managed by Stripe | Never on our servers | Stripe only |
Privacy-Respecting Practices
Data Subject Rights
You can export or delete your data at any time. Contact us and we'll process your request within 30 days.
No Third-Party Tracking
We don't use Google Analytics, Facebook Pixel, or other third-party trackers. Your browsing stays private.
Transparent Data Practices
Our Privacy Policy clearly explains what we collect and why. No hidden data collection.
US-Based Infrastructure
Our primary infrastructure is hosted in the United States with enterprise-grade providers.
Security Vulnerability Reporting
Found a security vulnerability? We appreciate responsible disclosure. Please email us at security@lowlatencylabs.app with details. We commit to:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 7 days
- Keep you informed of our progress
- Credit you in our security acknowledgments (if desired)