Security
Security
We take the security of your data seriously. This page describes how CodeLedger protects the Service, limits source-code exposure, and gives enterprise reviewers evidence they can inspect.
Enterprise trust path
Security review and governance review should meet in the same evidence model.
CodeLedger is built around local-first context selection, deterministic evidence, and access-controlled enterprise views. Security teams can start here; audit and platform teams can continue into the Enterprise governance surface.
Explore enterprise governanceFastest proof path
Start with one PR before a rollout.
The lowest-friction way to evaluate CodeLedger is a single pull request: no hosted source-code upload, no broad dashboard rollout, and no enterprise commitment before your team sees the evidence.
Install PR Intelligence
Add the GitHub Action in observe mode. CodeLedger posts one deterministic PR comment.
Open one real PR
Use your own repo so reviewers see file paths, risk signals, and evidence gaps in context.
Expand only after proof
Move from PR comments to the developer cockpit, full Insight dashboard, governance exports, and team memory.
How we protect your data
Source-code minimization
CodeLedger context selection runs locally. The marketing site, licensing API, and checkout flow do not require your source files, and source code is not uploaded for bundle scoring.
Audit evidence by design
Enterprise deployments can expose readiness exports, access evidence, control maps, and verification summaries so reviewers can inspect what happened without broad raw-ledger access.
Encryption in transit
All data exchanged between your device and our servers is encrypted using TLS. We enforce secure connections across all endpoints.
Encryption at rest
Data stored on our servers — including account information and usage records — is encrypted at rest using industry-standard algorithms.
Access controls
Access to production systems is restricted to authorized personnel, requires multi-factor authentication, and follows the principle of least privilege. Enterprise dashboard access can also be rolled out by plane and evidence depth.
Dependency management
We regularly scan our dependencies for known vulnerabilities and apply security patches on an ongoing basis, prioritizing critical fixes.
Data minimization
We collect only the data necessary to provide the Service. We do not collect or store your source code. Detailed information about what we collect is available in our Privacy Policy.
Incident response
We maintain an internal incident response process. In the event of a security incident affecting your data, we will notify affected users in accordance with applicable law.
Reviewer paths
Security
Confirm source-code handling, dependency hygiene, and incident response expectations.
Start with this page and the Privacy Policy.
Audit
Review evidence exports, control coverage, and the questions each governance surface answers.
Use the Enterprise governance page to map review depth before rollout.
Platform
Decide which teams see summary, drilldown, raw evidence, or export access.
Plan plane-by-plane access before enabling wider dashboard visibility.
Reporting a vulnerability
If you believe you have discovered a security vulnerability in CodeLedger, please let us know as soon as possible. We ask that you give us a reasonable opportunity to investigate and address the issue before making any public disclosure.
- →Email your report to security@codeledger.dev
- →Include a description of the issue, steps to reproduce it, and its potential impact
- →We will acknowledge your report within 48 hours and keep you informed as we investigate
- →We ask for 90 days to remediate before any public disclosure
We appreciate the work of security researchers and will credit you in our changelog (with your permission) upon resolution.
Contact
For security matters, contact us at security@codeledger.dev. For general support, use support@codeledger.dev.