Privacy Policy

1. Who We Are

Custodia, LLC is a cybersecurity software company organized under the laws of the Commonwealth of Pennsylvania. We provide automated code security scanning, vulnerability reporting, dependency CVE analysis, auto-fix tooling, and monthly security posture email reports for software development teams. Our registered business address and primary point of contact for privacy matters is:

2. Information We Collect

We collect the following categories of information, no more. Each item is necessary to operate the Service.

2.1 Account & Identity Information

Account creation is handled by Clerk, Inc., our third-party authentication provider. When you register, Clerk collects and manages your email address, name, and OAuth credentials (if you sign in with Google or GitHub). Custodia receives only a Clerk-issued user ID, your email address (to send you scan completion and monthly report emails), and your subscription tier. We do not store passwords. We do not have access to your authentication credentials.

2.2 Subscription & Billing Information

Payments for paid plans are processed exclusively by Stripe, Inc. Custodia never receives, sees, or stores your credit card number, CVV, or bank account details. We receive a Stripe Customer ID and payment confirmation webhooks so we can activate or deactivate paid features. For the one-time SOC 2 Scanner purchase ($295), we store a Stripe Session ID and Payment ID for order reconciliation only.

2.3 Scan Data & Reports

When you run custodia scan, the CLI packages your source files into a text payload and sends it to our API over HTTPS. We process this payload through our security analysis pipeline and return a structured security report. The following data is stored in our database:

• Your Custodia user ID, repository name (as you provide it), security score, verdict, and the full report JSON — so you can view your report history in the dashboard and share a signed report URL.
• A SHA-256 hash of the scan payload (not the payload itself) paired with your user ID, for cache deduplication. The hash is non-reversible — it cannot be used to reconstruct your source code.

Your source code is not permanently stored. Code passed through our scan pipeline is processed in memory and passed to our AI inference provider (Anthropic). It is not written to our database, not logged to disk, and is not retained after the inference call completes. No file contents, function names, or code strings appear in any stored record. This applies equally to the Auto-Fix feature (custodia fix): source files sent for AI-powered remediation are transmitted directly to Anthropic for inference and are not stored by Custodia. You use this feature at your own risk.

2.4 Scan Usage & Quota Counters

We store per-billing-cycle counters for: number of full scans run, number of diff scans run, and number of auto-fix credits used. These counters are used solely for quota enforcement. They are tied to your Clerk user ID, reset on your billing cycle start date, and are accessible to you in the dashboard.

2.5 API Keys

If you create API keys for CLI authentication, we store a masked version of each key (prefix + last 4 characters), a human-readable name, and creation timestamp. The full key is shown to you exactly once at creation and is not stored in recoverable form in our database.

2.6 GitHub OAuth Tokens (SOC 2 Scanner — Optional)

If you use the SOC 2 Scanner product and connect a private GitHub repository, we request a GitHub OAuth token scoped to repo read access. This token is stored encrypted at rest using AES-256-GCM in our database. It is used only to fetch your repository files for the SOC 2 analysis and cannot be used for any other purpose. You may disconnect your GitHub account at any time from the dashboard, which deletes the stored token.

2.7 Scheduled Scan Configuration

If you register a repository for monthly automated scanning (custodia schedule), we store the repository name (owner/repo format), an optional GitHub personal access token encrypted at rest (AES-256-GCM) for private repos, the schedule state (enabled/disabled), and metadata about the last run (date, score, finding count). No source code from automated scans is retained after inference completes.

2.8 Anonymized Research Analytics

After each completed scan, we record a fully anonymized entry in our research dataset.This record contains no source code, no file paths, no repository name, no user identifiers, and no company information. The anonymized record contains only:

• A one-way scan ID used solely to prevent duplicate entries (never joined back to user records)
• Security score (e.g., 72) and verdict (e.g., "CONDITIONAL — FIX HIGHS BEFORE LAUNCH")
• Plan tier (FREE / Dev / Pro / Business)
• Detected technology stack labels (e.g., "Next.js", "Python", "Rust")
• Presence flags: whether an LLM integration was detected, whether payment processing was detected, whether file uploads were detected
• PII pattern category names only (e.g., "email", "phone") — never actual PII values
• Finding records stripped to: check_id, security domain, severity level, and compliance framework references (e.g., "A1:2021", "CWE-89") — no fix prompts, no file paths, no evidence text
• Per-domain security scores and frameworks checked
• Pre-aggregated severity counts (number of critical/high/medium/low findings)
• Inferred package ecosystem (npm, pip, gem, go, cargo) — derived from stack labels, not file inspection

This anonymized dataset powers Custodia's annual "State of Code Security" public research report, which publicly discloses aggregate industry cybersecurity trends without identifying any individual, organization, or codebase. The legal basis for this processing is Legitimate Interest(the advancement of public cybersecurity knowledge). This practice is disclosed in these Terms of Service. If you object to your anonymized scan data being included in research analytics, you may contact us at support@custodia.dev to have your records excluded from the research dataset.

2.9 Log & Infrastructure Data

Our hosting provider, Vercel, Inc., automatically logs standard web server data including IP addresses, request timestamps, HTTP methods, response codes, and user agent strings for the purposes of security monitoring and infrastructure operations. These logs are subject to Vercel's own data retention and privacy policies. Custodia does not analyze or export these infrastructure logs for marketing or behavioral profiling purposes.

3. How We Use Your Information

We use the information we collect for these purposes only:

• Providing the Service — running security scans, generating reports, storing your scan history, enforcing quota, and powering the dashboard.
• Authentication — verifying your identity and authorizing access via Clerk.
• Billing — managing subscription state, processing payments through Stripe, and enforcing plan limits.
• Transactional Email — sending scan completion notifications, quota warning emails, monthly automated security posture reports for scheduled scans, and critical service notices. We do not send unsolicited marketing email.
• Security & Fraud Prevention — monitoring API usage for abuse, rate limiting, and protecting the integrity of the Service.
• Cybersecurity Research — aggregating anonymized scan data as described in Section 2.8 to produce public industry research reports.
• Service Improvement — analyzing aggregate usage patterns (never individual user behavior) to improve scan accuracy, detection coverage, and product reliability.

We do not sell your personal information. We do not use your information for behavioral advertising.

4. Third-Party Service Providers

We share data with the following providers solely to the extent necessary to operate the Service. Each provider acts as a data processor under contract with Custodia:

We do not share your personal information with advertisers, data brokers, analytics companies, or any third party for marketing purposes.

5. Data Retention

• Account data — retained while your account is active. Deleted within 30 days of account deletion upon request.
• Scan reports — retained indefinitely to provide report history. You may delete individual reports from the dashboard or request bulk deletion.
• Scan cache entries — 30-day TTL. Auto-expired by query filter after 30 days.
• Source code — not retained. Exists only in memory during inference; never written to persistent storage.
• API keys — retained until you revoke them or delete your account.
• GitHub OAuth tokens — retained while you maintain the GitHub connection. Deleted immediately upon disconnection via dashboard or account deletion.
• Scheduled scan configuration — retained while the schedule is registered. Deleted when you remove the schedule or delete your account.
• SOC 2 reports — retained for 30 days after purchase, or as long as your account is active if you remain a customer, whichever is later.
• Anonymous research analytics — retained indefinitely as they contain no personal information. Cannot be linked to any individual.
• Billing records — retained for 7 years as required by generally accepted accounting standards and applicable tax law.

6. Data Security

We apply the following security controls to protect data at rest and in transit:

• All data in transit is encrypted via TLS 1.2 or higher.
• GitHub OAuth tokens and scheduled scan tokens are encrypted at rest using AES-256-GCM with unique initialization vectors.
• API keys are masked immediately after creation — only the prefix and last 4 characters are stored in retrievable form.
• Scan reports are HMAC-SHA256 signed to prevent tampering. Signature verification is available via our reports API.
• Database access is restricted to application service accounts with least-privilege permissions. Direct developer database access requires explicit authorization.
• Our AI inference provider (Anthropic) is contractually required to not train on or retain customer data beyond the inference request.

No security measure is 100% foolproof. If you believe you have discovered a security vulnerability in the Custodia Service, please disclose it responsibly to support@custodia.dev.

7. Your Privacy Rights

As a U.S.-based service, the following rights are available to all users, regardless of state of residence:

• Access — You may request a copy of the personal data we hold on you.
• Correction — You may request correction of inaccurate personal data. Your email and name can be updated directly through your Clerk account settings.
• Deletion — You may request deletion of your personal data. We will delete your account, scan history, API keys, GitHub tokens, and scheduled scan configurations within 30 days. Anonymized research analytics cannot be deleted as they contain no personal identifiers. Billing records are retained as required by law.
• Data Portability — You may request an export of your scan reports and account data in JSON format.
• Opt-Out of Research Analytics — You may request exclusion of your scan data from the anonymized research dataset at any time.

To exercise any of these rights, email support@custodia.devwith "Privacy Request" in the subject line. We will respond within 30 days. We may need to verify your identity before processing your request.

7.1 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): the right to know what personal information is collected; the right to delete personal information; the right to opt-out of the "sale" or "sharing" of personal information (Custodia does not sell or share personal information as defined under CCPA); and the right not to be discriminated against for exercising these rights. To submit a CCPA request, contact us at support@custodia.dev.

8. Children's Privacy

The Service is intended for use by individuals aged 18 or older who are professional software developers or authorized business representatives. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has created an account, contact us immediately at support@custodia.dev and we will promptly delete the account.

9. Cookies & Tracking

Custodia does not use third-party advertising cookies, tracking pixels, or behavioral profiling technologies. Clerk sets session cookies in your browser solely for authentication purposes. Vercel may set performance-monitoring cookies as part of its infrastructure. No cross-site tracking or retargeting is performed.

10. International Data Transfers

The Service is operated in the United States and all data is stored and processed in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. As noted above, the Service is currently offered to U.S. users only.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will update the "Effective Date" at the top of this page and, where required, notify you by email. Continued use of the Service after an updated policy becomes effective constitutes your acceptance of the updated policy.

12. Contact

For questions, concerns, or requests related to this Privacy Policy, contact: