No sales call required

Trust & Security

Everything you need to evaluate Claudit's security posture and data handling — all public, no NDA, no demo request.

How your code is handled

StorageYour submitted code is not stored on our servers. Only the audit report output is saved to your account history.

TrainingNeither Claudit nor Anthropic trains on your submitted code. Anthropic's API terms explicitly prohibit use of API inputs for model training.

Third-party accessYour code is sent only to Anthropic's Claude API for analysis. No other third party receives it.

RetentionAudit reports are retained until you delete them. Account deletion removes all data within 30 days.

VerificationSee Anthropic's privacy policy and model card for upstream commitments. Read our full Privacy Policy for Claudit-specific details.

Certifications & compliance

Honest statuses — not marketing claims.

SOC 2 Type 2

Audit in preparation — target Q4 2026

In Progress

GDPR compliance

EU data protection obligations met; DPA available on request

Live

CCPA compliance

California Consumer Privacy Act requirements met

Live

Penetration test

External pentest scheduled; results summary will be published here

Planned

Bug bounty programme

Responsible disclosure active at /security; formal bounty programme planned

Planned

ISO 42001 (AI management)

Under evaluation for 2026

Planned

Security controls

Encryption in transit

TLS 1.3 on all connections. HSTS enforced with 2-year max-age.

Encryption at rest

Database encrypted at rest with daily automated backups.

Content Security Policy

Per-request CSP nonces eliminate unsafe-inline. strict-dynamic propagates trust.

Authentication

Passwords hashed with bcrypt. TOTP-based 2FA available for all accounts.

Session management

HttpOnly, Secure, SameSite=Lax session cookies. 30-day idle expiry.

Rate limiting

Per-IP and per-user rate limits on all API endpoints. Audit endpoints have additional token-budget limits.

Input isolation

User-submitted code is wrapped in XML delimiters and trust-boundary instructions before LLM processing. Prompt injection is treated as a security boundary.

Dependency scanning

Automated CVE scanning on every build. Critical vulnerabilities block deploys.

IP anonymisation

IP addresses are anonymised before logging. Raw IPs are never persisted.

No third-party tracking

No analytics trackers, ad pixels, or third-party scripts loaded on any page.

Infrastructure

Application hosting

Railway (United States)

Database

Supabase — EU (Frankfurt, Germany)

LLM provider

Anthropic Claude API (United States)

US-based processors operate under EU Standard Contractual Clauses (SCCs) for GDPR compliance.

Responsible disclosure

Found a vulnerability? See our Security & Disclosure Policy for scope, response timelines, and how to report. We respond to all valid reports within 5 business days.

Questions about security or compliance?

Contact security@claudit.consulting — no sales call, no NDA required to ask questions.

Trust & Security

Everything you need to evaluate Claudit's security posture and data handling — all public, no NDA, no demo request.

How your code is handled

StorageYour submitted code is not stored on our servers. Only the audit report output is saved to your account history.

TrainingNeither Claudit nor Anthropic trains on your submitted code. Anthropic's API terms explicitly prohibit use of API inputs for model training.

Third-party accessYour code is sent only to Anthropic's Claude API for analysis. No other third party receives it.

RetentionAudit reports are retained until you delete them. Account deletion removes all data within 30 days.

VerificationSee Anthropic's privacy policy and model card for upstream commitments. Read our full Privacy Policy for Claudit-specific details.

Certifications & compliance

Honest statuses — not marketing claims.

SOC 2 Type 2

Audit in preparation — target Q4 2026

In Progress

GDPR compliance

EU data protection obligations met; DPA available on request

Live

CCPA compliance

California Consumer Privacy Act requirements met

Live

Penetration test

External pentest scheduled; results summary will be published here

Planned

Bug bounty programme

Responsible disclosure active at /security; formal bounty programme planned

Planned

ISO 42001 (AI management)

Under evaluation for 2026

Planned

Security controls

Encryption in transit

TLS 1.3 on all connections. HSTS enforced with 2-year max-age.

Encryption at rest

Database encrypted at rest with daily automated backups.

Content Security Policy

Per-request CSP nonces eliminate unsafe-inline. strict-dynamic propagates trust.

Authentication

Passwords hashed with bcrypt. TOTP-based 2FA available for all accounts.

Session management

HttpOnly, Secure, SameSite=Lax session cookies. 30-day idle expiry.

Rate limiting

Per-IP and per-user rate limits on all API endpoints. Audit endpoints have additional token-budget limits.

Input isolation

User-submitted code is wrapped in XML delimiters and trust-boundary instructions before LLM processing. Prompt injection is treated as a security boundary.

Dependency scanning

Automated CVE scanning on every build. Critical vulnerabilities block deploys.

IP anonymisation

IP addresses are anonymised before logging. Raw IPs are never persisted.

No third-party tracking

No analytics trackers, ad pixels, or third-party scripts loaded on any page.

Infrastructure

Application hosting

Railway (United States)

Database

Supabase — EU (Frankfurt, Germany)

LLM provider

Anthropic Claude API (United States)

US-based processors operate under EU Standard Contractual Clauses (SCCs) for GDPR compliance.

Responsible disclosure

Found a vulnerability? See our Security & Disclosure Policy for scope, response timelines, and how to report. We respond to all valid reports within 5 business days.

Questions about security or compliance?

Contact security@claudit.consulting — no sales call, no NDA required to ask questions.