ShipSafe is a security scanner built specifically for AI-generated code. It scans your actual GitHub repository — not just a URL — using 30+ security checks to find vulnerabilities that AI coding tools like Cursor, Lovable, Bolt, v0, and Replit commonly introduce. Paste a GitHub URL and get a plain-English security report in under 2 minutes.

How does ShipSafe work?

ShipSafe clones your GitHub repository and performs deep static analysis including authentication flow analysis, authorization boundary checking, secret detection, and OWASP Top 10 vulnerability scanning. Unlike URL-based scanners that only check surface-level issues, ShipSafe reads your actual codebase to find logic-level bugs like inverted auth conditions and missing ownership checks.

Yes. ShipSafe offers a free plan with 3 scans per month, no credit card required. Paid plans start at $12/month for CLI access with unlimited scans and CI/CD integration via GitHub Actions.

What vulnerabilities does ShipSafe detect?

ShipSafe detects IDOR (Insecure Direct Object References), inverted authentication logic, frontend-only role checks, hardcoded API keys and secrets, SQL injection, cross-site scripting (XSS), CSRF vulnerabilities, missing rate limiting, and more across the OWASP Top 10 categories. In our scan of 100 AI-built apps, 67% had at least one critical vulnerability.

Cursor the editor is SOC 2 Type II certified. However, three CVEs were published against it in 2025, and the code it generates contains vulnerabilities roughly 45% of the time according to Stanford research. ShipSafe is built to catch the security issues that Cursor's AI introduces into your codebase.

How is ShipSafe different from other security scanners?

ShipSafe scans your actual GitHub repository source code, not just a deployed URL. It uses AI to understand authentication flows and authorization logic — catching bugs like inverted auth conditions that regex-based scanners miss. It's specifically tuned for patterns that AI coding tools like Cursor, Lovable, and Bolt commonly generate.

Legal

Privacy Policy

Last updated: March 2026

1. Introduction

ShipSafe ("we," "us," or "our") operates the ship-safe.co website and related services. ShipSafe is a SaaS security scanner designed for applications built with AI-assisted coding tools such as Cursor, Lovable, Bolt, and v0. You paste a GitHub repository URL, and ShipSafe scans your code to generate a plain-English security report.

This Privacy Policy explains what data we collect, how we use it, and the choices you have. By using ShipSafe, you agree to the practices described in this policy.

2. Information We Collect

Account Information

When you sign up via GitHub OAuth (powered by Clerk), we receive your name, email address, and GitHub profile information. We do not collect or store your GitHub password.

Repository Data

When you initiate a scan, we access the source code of the specified GitHub repository through the GitHub API. Source code is processed during the scan and is not stored permanently. Only the resulting security report and metadata (e.g., repository name, scan timestamp, findings) are retained.

GitHub OAuth Scope Disclosure: ShipSafe requests the repo OAuth scope from GitHub. This scope grants both read and write access to your repositories, including private repositories. However, ShipSafe only uses read access to fetch source code for security scanning. We do not modify, push to, or delete any repository content. The broad repo scope is required because GitHub does not offer a read-only OAuth scope for private repositories. You can revoke ShipSafe's access at any time from your GitHub Settings > Applications.

Usage Data

We collect standard usage information such as pages visited, scan frequency, feature usage, browser type, and device information to improve the service.

Payment Information

Payments are processed by Polar. We do not store your credit card number, CVC, or full card details on our servers. Our payment processor provides us with limited information such as the last four digits of your card, card brand, and billing address for record-keeping purposes.

3. How We Use Your Information

Provide and operate the service — running security scans, generating reports, and managing your account.
Improve the service — analyzing usage patterns to enhance scan accuracy, performance, and user experience.
Send notifications — transactional emails (scan results, billing receipts) and occasional product updates. You can opt out of non-essential communications at any time. Unsubscribe requests are processed immediately upon receipt.
Enforce terms and prevent abuse — detecting and preventing misuse of the platform.

4. Data Retention

Source code is accessed only during the active scan and is not permanently stored. Code snippets may be temporarily held in memory during AI analysis, but are discarded once the scan report is generated.

Specific retention periods for other data categories:

Account data — retained while your account is active, deleted within 30 days of account deletion.
Scan reports and findings — retained while your account is active.
Usage events — retained for 12 months.
CLI tokens — automatically purged when expired (daily cleanup).
Error monitoring data (Sentry) — 30 days (per Sentry's retention policy).

5. Third-Party Services

We use the following third-party services to operate ShipSafe. Each has its own privacy policy governing how they handle data:

Service	Purpose
Clerk	Authentication and user management (GitHub OAuth)
Convex	Database — stores scan reports, account data, and application state
Polar	Checkout, subscription management, and payment processing
Resend	Transactional email delivery
Vercel	Hosting and content delivery
GitHub API	Repository access for code scanning
Anthropic	AI-powered code analysis — code snippets are sent for security analysis during scans
Vercel Analytics	Web performance analytics (cookie-less)
Vercel Speed Insights	Web performance analytics (cookie-less)

Code snippets sent to Anthropic are used solely for generating your security report. We use API configurations designed to prevent your code from being used for model training, consistent with our agreement with Anthropic. See Anthropic's usage policy for details.

Sub-Processors

The following table details our sub-processors, the data they process, and their locations:

Provider	Purpose	Data Processed	Location
Clerk	Authentication	Email, name, profile	United States
Convex	Database	Account data, scan results	United States
Polar	Billing & subscriptions	Payment info, billing, subscription data	United States
Resend	Transactional email	Email addresses, notification content	United States
Vercel	Hosting	Application data, access logs	United States
Anthropic	AI code analysis	Code snippets (not stored)	United States
GitHub	Repository access	Repository contents	United States
Sentry	Error monitoring & session replay	Error logs, performance data, IP addresses, session replays on errors	United States

Session Replay

When an error occurs while using ShipSafe, Sentry may capture a session replay — a reconstruction of user interactions (clicks, navigation, page content) leading up to the error. Session replays are used solely for debugging and are automatically deleted after 30 days. Sensitive form inputs (passwords, payment details) are masked and never recorded. Session replays are only captured when an error occurs and are not used for analytics, marketing, or user profiling.

6. Data Security

We take reasonable measures to protect your data, including:

Encryption of data in transit (TLS) and at rest.
Access controls limiting who can view or modify production data.
Regular review of third-party service configurations and permissions.
Minimal data collection — we only collect what is necessary to provide the service.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

You have the right to:

Access your personal data and scan history.
Delete your account and associated data.
Export your scan reports and account information.
Opt out of non-essential communications.

To exercise any of these rights, contact us at support@ship-safe.co.

8. Cookies

ShipSafe uses minimal cookies, primarily for authentication and session management (provided by Clerk). We do not use advertising or tracking cookies. Essential cookies are required for the service to function and cannot be disabled.

Cookie Name	Type	Duration	Purpose	Required
cookie-consent	Essential	1 year	Stores your cookie consent preferences.	Yes
__clerk_db_jwt	Essential	Session	Clerk authentication session token.	Yes
__client_uat	Essential	Session	Clerk client authentication token.	Yes
Sentry cookies	Error Monitoring	Session	Sentry error tracking and session replays. Only set with your consent.	No

You can manage your cookie preferences at any time by contacting us. We do not use advertising or marketing cookies. For performance monitoring, we use Vercel Analytics and Vercel Speed Insights, which are cookie-less and do not track individual users across sites.

9. Children's Privacy

ShipSafe is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

10. International Users & GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply to you.

Legal Bases for Processing (GDPR Article 6)

We process your personal data under the following Article 6(1) legal bases:

Art. 6(1)(b) — Contract performance — processing necessary to provide the ShipSafe service you have signed up for, including running security scans, generating reports, managing your account, and processing payments.
Art. 6(1)(f) — Legitimate interest — improving the service, ensuring security, preventing abuse, and sending transactional communications. Our legitimate interests do not override your fundamental rights and freedoms.
Art. 6(1)(a) — Consent — error monitoring via Sentry (including session replays), which you can withdraw at any time through cookie settings without affecting the lawfulness of prior processing.
Art. 6(1)(c) — Legal obligation — processing required to comply with applicable laws, such as tax and accounting requirements for paid subscriptions.

International Data Transfers

Your data is processed in the United States. For users in the EEA, UK, or Switzerland, transfers rely on Standard Contractual Clauses (SCCs) executed with our sub-processors to ensure an adequate level of data protection.

Your Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

Access — obtain confirmation and a copy of the personal data we hold about you.
Rectification — request correction of inaccurate or incomplete data.
Erasure — request deletion of your personal data ("right to be forgotten").
Restriction — request that we limit the processing of your data in certain circumstances.
Portability — receive your data in a structured, machine-readable format and transmit it to another controller.
Objection — object to processing based on legitimate interests or for direct marketing purposes.
Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@ship-safe.co. We will respond within 30 days.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed in violation of applicable data protection law.

Automated Decision-Making

ShipSafe's AI-powered scanning involves automated analysis of source code to identify potential security vulnerabilities. This analysis produces informational reports only. No decisions with legal effects or similarly significant effects are made solely by automated means.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

Identifiers — name, email address, GitHub username.
Commercial information — subscription plan, billing history.
Internet or electronic network activity — usage data, pages visited, scan history.
Professional or employment-related information — GitHub profile data, repository information.

Your California Privacy Rights

Right to know — request disclosure of the personal information we collect, use, and share about you.
Right to delete — request deletion of your personal information.
Right to correct — request correction of inaccurate personal information.
Right to opt-out — opt out of the sale or sharing of your personal information.

We do not sell or share personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.

Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a request, contact us at support@ship-safe.co.

12. Additional US State Privacy Rights

In addition to California (CCPA/CPRA), residents of the following US states have privacy rights under their respective state laws:

Virginia — Virginia Consumer Data Protection Act (VCDPA)
Colorado — Colorado Privacy Act (CPA)
Connecticut — Connecticut Data Privacy Act (CTDPA)
Utah — Utah Consumer Privacy Act (UCPA)
Texas — Texas Data Privacy and Security Act (TDPSA)
Oregon — Oregon Consumer Privacy Act (OCPA)
Montana — Montana Consumer Data Privacy Act (MCDPA)

Residents of these states generally have similar rights, including:

Access — confirm whether we process your personal data and obtain a copy.
Delete — request deletion of your personal data.
Correct — request correction of inaccurate personal data.
Opt-out — opt out of the sale of personal data, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects.
Appeal — appeal a denial of a privacy rights request.

We do not sell personal data or use it for targeted advertising or profiling as defined under these state privacy laws.

To exercise any of these rights, contact us at support@ship-safe.co. If you are not satisfied with our response, you may appeal by contacting us again with "Privacy Appeal" in the subject line. We will respond to appeals within the timeframe required by your state's law.

13. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities in accordance with applicable law.

For users in the EEA, UK, or Switzerland, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, as required by GDPR Article 33.

Breach notifications will include:

The nature of the personal data breach.
The likely consequences of the breach.
The measures taken or proposed to address and mitigate the breach.

14. Israeli Privacy Protection Law

ShipSafe is operated by a founder based in Israel. Accordingly, the Israeli Protection of Privacy Law, 5741-1981 and the Privacy Protection Regulations (Data Security), 5777-2017 may apply to our processing of personal data.

Your Rights Under Israeli Law

If Israeli privacy law applies to you, you have the following rights regarding your personal data:

Right of access — you may request to review personal data held about you in our databases.
Right to correction — you may request that we correct or delete inaccurate data.
Right to object — you may object to the use of your personal data for direct marketing purposes and request its removal from marketing databases.
Right to deletion — you may request that we delete your personal data, subject to applicable legal retention requirements.

Data Security

We maintain technical and organizational security measures in compliance with the Privacy Protection Regulations (Data Security), 5777-2017, including access controls, encryption, and incident response procedures. Based on the nature of personal data we process (primarily account identifiers and scan metadata), our database is classified at the "Basic" security level under the 2017 Regulations. We apply security measures that meet or exceed the requirements for this classification level.

Cross-Border Data Transfers

Personal data may be transferred and processed outside of Israel, primarily in the United States. Such transfers are conducted in accordance with the Israeli Protection of Privacy Law, and we ensure that adequate safeguards are in place to protect your data in the receiving jurisdiction.

Israel has been recognized by the European Commission as providing an adequate level of data protection (Commission Decision 2011/61/EU). This adequacy decision facilitates lawful data transfers between the European Economic Area (EEA) and Israel without the need for additional safeguards such as Standard Contractual Clauses.

Database Registration

In accordance with Section 8 of the Protection of Privacy Law, 5741-1981, we will register any applicable databases with the Israeli Privacy Protection Authority (PPA) as required by law based on data volume and sensitivity thresholds.

Business Registration

ShipSafe is operated by Tomer Goldstein, registered as an Osek Patur (exempt dealer) with the Israel Tax Authority, located at Reut 12B, Hod HaSharon 4529614, Israel.

To exercise any of these rights, contact us at support@ship-safe.co. We will respond within 30 days.

15. Record of Processing Activities

We maintain a Record of Processing Activities (ROPA) as required by GDPR Article 30, documenting all categories of processing activities carried out under our responsibility. This record is available upon request to supervisory authorities. For questions, contact support@ship-safe.co.

For a detailed assessment of risks related to our AI-powered scanning, see our Data Protection Impact Assessment (DPIA) below.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, through in-app notifications or email.

Appendix A

Data Processing Agreement

Last updated: March 2026

1. Definitions

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ShipSafe ("Processor," "we," "us") operating at ship-safe.co and the customer ("Controller," "you") who uses the ShipSafe service.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1).
"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
"Controller" means the entity that determines the purposes and means of Processing Personal Data.
"Processor" means the entity that processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
"Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.

2. Scope and Purpose of Processing

ShipSafe is a SaaS security scanner designed for applications built with AI-assisted coding tools. This DPA applies to all Personal Data that the Processor processes on behalf of the Controller in connection with providing the ShipSafe service.

Subject Matter

The Processor provides security scanning and analysis of source code repositories submitted by the Controller, generating security reports and vulnerability assessments.

Nature and Purpose

Personal Data is processed for the purpose of providing the ShipSafe service, including account management, authentication, security scanning, report generation, payment processing, and transactional communications.

Types of Personal Data

Account identifiers (name, email address, GitHub username)
Authentication data (OAuth tokens, session information)
Repository metadata (repository names, scan timestamps, scan results)
Payment and billing information (processed by third-party payment providers)
Usage data (pages visited, feature usage, device information)

Categories of Data Subjects

Customers and end users of the ShipSafe service
Developers whose repositories are submitted for scanning

Duration

Processing continues for the duration of the Controller's use of the ShipSafe service, plus any retention period required by law or described in Section 9 of this DPA.

3. Data Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Section 7 of this DPA.
Assist the Controller in fulfilling its obligation to respond to Data Subject requests, as described in Section 6 of this DPA.
Assist the Controller in ensuring compliance with its obligations regarding security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
At the choice of the Controller, delete or return all Personal Data upon termination of the service, unless retention is required by applicable law.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection provisions.

4. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days.

The Processor has engaged the following sub-processors:

Sub-processor	Purpose	Data Processed	Location
Convex	Database	Account data, scan reports, application state	United States
Clerk	Authentication	Email, name, GitHub profile, session tokens	United States
Anthropic	AI-powered code analysis	Code snippets (transient, not stored)	United States
Resend	Transactional email	Email addresses, notification content	United States
Polar	Payments & subscription management	Payment info, billing data, subscription state	United States
GitHub	Code access via OAuth	Repository contents, OAuth tokens	United States
Sentry	Error monitoring, performance tracking	Error logs, IP addresses, session replays	United States
Vercel	Hosting and edge compute	Request logs, IP addresses	United States

The Processor shall impose the same data protection obligations as set out in this DPA on each sub-processor by way of a contract, ensuring that each sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.

The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

5. Controller Obligations

The Controller shall:

Ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents have been obtained from Data Subjects where required.
Provide documented processing instructions to the Processor.
Ensure that repositories submitted for scanning do not contain Personal Data beyond what is necessary, or that appropriate safeguards are in place where they do.
Comply with its obligations under applicable data protection laws, including GDPR.

6. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including:

Right of access — obtaining confirmation and a copy of Personal Data being processed.
Right to rectification — correcting inaccurate or incomplete Personal Data.
Right to erasure — deleting Personal Data ("right to be forgotten").
Right to restriction of processing — limiting the processing of Personal Data in certain circumstances.
Right to data portability — receiving Personal Data in a structured, commonly-used, machine-readable format.
Right to object — objecting to processing based on legitimate interests or for direct marketing.

The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to the request without the Controller's prior written authorization, unless required by applicable law.

Data Subject requests can be submitted to support@ship-safe.co and will be addressed within 30 days.

7. Data Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data, in accordance with GDPR Article 32:

Technical Measures

Encryption of data in transit using TLS 1.2 or higher.
Encryption of data at rest in all databases and storage systems.
Source code submitted for scanning is processed in memory and is not stored permanently. Code is discarded once the security report is generated.
Role-based access controls limiting access to production systems and Personal Data.
Regular security assessments and vulnerability scanning of our own infrastructure.
Automated monitoring and alerting for anomalous access patterns.

Organizational Measures

Principle of least privilege for all personnel with access to Personal Data.
Confidentiality obligations for all personnel who process Personal Data.
Regular review of third-party service configurations and access permissions.
Data minimization — we collect and process only the Personal Data necessary to provide the service.
Documented incident response procedures for handling data breaches.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach, in accordance with GDPR Article 33.

The notification shall include:

A description of the nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned.
The name and contact details of the Processor's point of contact for further information.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data breach.

9. International Data Transfers

Personal Data is processed primarily in the United States. For Controllers and Data Subjects located in the European Economic Area (EEA), United Kingdom, or Switzerland, the Processor ensures that appropriate safeguards are in place for international transfers of Personal Data.

Transfer Mechanisms

Standard Contractual Clauses (SCCs) — the Processor uses the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) for transfers of Personal Data to third countries that do not have an adequate level of data protection, as approved by Commission Implementing Decision (EU) 2021/914.
Sub-processor agreements — the Processor ensures that all sub-processors listed in Section 4 maintain equivalent data transfer safeguards, including SCCs where applicable.
Supplementary measures — the Processor implements additional technical and organizational measures (such as encryption and access controls) to supplement transfer mechanisms where necessary.

The Processor shall promptly inform the Controller if it becomes aware of any changes in applicable law that may affect the validity of the transfer mechanisms in place.

10. Duration and Termination

This DPA shall remain in effect for the duration of the Controller's use of the ShipSafe service. Upon termination of the service:

The Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller within 30 days of receiving a written request, unless applicable law requires further retention.
The Processor shall delete existing copies of Personal Data unless applicable law requires storage of the Personal Data.
Upon request, the Processor shall provide written certification of deletion to the Controller.

Obligations relating to confidentiality, data security, and cooperation with supervisory authorities shall survive the termination of this DPA.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for obligations that cannot be limited under applicable data protection law.

12. Record of Processing Activities

The Controller maintains a Record of Processing Activities in accordance with Art. 30 GDPR. The Processor maintains its own Record of Processing Activities documenting all categories of processing carried out on behalf of Controllers, available upon request to supervisory authorities.

Appendix B

Data Protection Impact Assessment

GDPR Article 35 — Last updated: March 2026

1. Description of Processing

What Data Is Processed

ShipSafe's AI-powered scanning processes source code from GitHub repositories submitted by the user. The data sent to the AI model (Anthropic Claude) includes:

Source code files from the specified repository (read-only access via GitHub API)
File paths and directory structure metadata
Repository name and scan configuration parameters

Source code may incidentally contain personal data such as developer names in comments, email addresses in configuration files, or hardcoded credentials (which the scan aims to detect and flag).

Purpose of Processing

The purpose of AI scanning is to identify potential security vulnerabilities, misconfigurations, and risks in user-submitted source code. The AI model analyzes code patterns and produces a plain-English security report with findings and remediation recommendations.

Technology Used

ShipSafe uses Anthropic's Claude API for AI-powered code analysis. Code snippets are sent via encrypted API calls and processed in real-time. Anthropic does not use API inputs for model training (per their commercial API terms).

2. Necessity and Proportionality Assessment

Necessity

AI-powered scanning is necessary to provide the core value of ShipSafe: identifying complex security vulnerabilities that rule-based scanners cannot detect. Users explicitly initiate each scan by submitting a repository URL, providing clear informed consent for code analysis.

Proportionality

User-initiated: Scanning only occurs when a user explicitly submits a repository. We do not proactively scan or index repositories.
Minimal data: Only source code necessary for security analysis is processed. We do not analyze commit history, pull requests, issues, or other repository metadata beyond what is needed.
No permanent storage of code: Source code is processed in-memory and discarded after the scan report is generated. Only findings and metadata are retained.
Transient API processing: Code sent to Anthropic's API is processed in real-time and not retained by Anthropic beyond the API request lifecycle.

3. Risks to Data Subjects

Risk	Likelihood	Severity	Description
Code exposure in transit	Low	High	Source code could be intercepted during transmission to the AI provider.
Incidental personal data in code	Medium	Low	Code may contain developer names, emails, or other personal data in comments or configuration files.
False positive findings	Medium	Low	AI may incorrectly flag secure code as vulnerable, potentially causing unnecessary remediation effort.
False negative findings	Medium	Medium	AI may fail to detect actual vulnerabilities, leading to a false sense of security.
Prompt injection via code	Low	Medium	Malicious code could attempt to manipulate the AI model's behavior through embedded instructions.
Unauthorized repository scanning	Low	High	A user could submit a repository they do not have authorization to scan.

4. Mitigation Measures

Encryption and Transport Security

All API calls to Anthropic use TLS 1.2+ encryption in transit.
GitHub API access uses encrypted OAuth tokens.
No source code is stored at rest — code is held only in memory during active scanning.

No Code Storage

Source code is processed in-memory and discarded after the scan completes.
Only structured findings (vulnerability title, severity, file path, description) are persisted in the database.
Anthropic's commercial API does not retain inputs beyond the request lifecycle and does not use them for model training.

Prompt Injection Defense

The AI scanning prompt uses structured system instructions that separate code content from analysis directives.
Code is provided to the AI as data context, not as executable instructions.
Output is validated and structured before being presented to users.

Access Controls

Users can only scan repositories they have access to via their authenticated GitHub account.
Scan results are private to the user who initiated the scan.
GitHub OAuth tokens are stored securely via Clerk and are never exposed to the client.

Transparency and User Control

Users are informed that AI analysis is performed by Claude (Anthropic) at the point of scan.
Scan results clearly state that findings are AI-generated and should be independently verified.
Users can delete their scan data at any time through their account settings or by contacting support.

5. Conclusion

Based on this assessment, the residual risk of ShipSafe's AI-powered scanning to data subjects is low. The processing is user-initiated, transient (no code storage), encrypted in transit, and subject to Anthropic's commercial data protection commitments. The informational nature of scan results means no automated decisions with legal or similarly significant effects are made. We will review this DPIA annually or when material changes are made to the scanning process.

17. Contact

ShipSafe is operated by Tomer Goldstein, a sole proprietor doing business as ShipSafe. The data controller for the purposes of GDPR and applicable data protection law is Tomer Goldstein.

Data Controller & Legal Contact

Tomer Goldstein d/b/a ShipSafe

Reut 12B, Hod HaSharon 4529614, Israel

Email: support@ship-safe.co