Skip to content

Data Handling

How we store, process, and protect your data.

What we store

Category Examples
Organization settings Name, domains, DataSources
Users and access Email, name, roles, hashed password, 2FA secret
Third-party API keys HIBP, GitHub, GitLab tokens (encrypted)
Findings Detector findings — text, metadata, evidence
Sensitive evidence Paste contents, leak-site screenshots
Reports Generated PDF / DOCX / CSV
Audit log Who, when, what action

Encryption

At rest

  • DB: AES-256 at the storage layer (Neon native encryption).
  • API keys and sensitive fields: additional application-layer encryption (django-encrypted-model-fields) — even if someone obtains a DB dump, keys aren't readable without the application secret.
  • Files (reports, evidence): AES-256 on block storage.

In transit

  • TLS 1.3 for all external traffic.
  • mTLS between internal services.
  • HSTS with preload on the main domain.

Data residency

  • Primary deployment: EU (Frankfurt) via Neon.
  • Backups: same region, separate availability zone.
  • CDN: Cloudflare, caches only static assets (not data).

For Enterprise with strict data residency requirements — dedicated regions by agreement (sales@bytecode.team).

Data retention

Data type Retention
Findings (active) Unlimited while organization is active
Findings (resolved) 7 years (for compliance)
Sensitive evidence (pastes, leak-site screenshots) 90 days after resolution
Logs (application, access) 90 days
Audit log 7 years
Backups 30 days
Deleted organizations 30 days grace period, then deletion

Custom retention policies — Enterprise.

Backups

  • Daily — full DB snapshot.
  • Point-in-time recovery (PITR) — restore to any second over the last 7 days.
  • Geo-redundant — backups in a separate AZ.

Bytecode staff access

  • Default: staff has NO routine access to client data.
  • Support access: possible only on explicit client request (e.g., troubleshooting). Logged in client's audit log.
  • Emergency access: for incident response — logged + post-incident review.
  • Background checks: all staff with potential production access undergo background checks.

Sub-processors

List of third-party services processing your data:

Sub-processor What it does Region
Neon Managed PostgreSQL EU
AWS S3 File storage (reports, evidence) EU
Cloudflare CDN, DDoS protection Global
SendGrid Email delivery EU
Stripe Billing (does NOT process platform data) US

Full list with contacts — in the DPA.

Data transfer outside EU

  • All sub-processors in the list have Standard Contractual Clauses (SCC) with us.
  • For US-based ones (Cloudflare, Stripe) — additional DPA with SCC.
  • No client data is transferred to third countries without SCC.

Data deletion

On client request (GDPR Right to Erasure)

  1. Request to privacy@bytecode.team or via Settings → Privacy → Request data deletion.
  2. 30 days for verification (per GDPR).
  3. Deletion from production + backups (via rolling backups).
  4. Confirmation sent to client.

On organization closure

  • 30 days grace — restorable.
  • Then — automatic deletion from all systems + backups (rolling cycle).

Data export (Data Portability)

You can export all your organization's data in machine-readable format:

  1. Settings → Privacy → Export all data.
  2. Background job runs — within hours you get an email with a link.
  3. The archive contains a JSON dump of all findings, settings, users, reports.

Security incidents

If we have a security incident affecting your data:

  • Notification: within 72 hours (per GDPR Article 33).
  • Channel: email to organization admins + status page https://status.bytecode.team.
  • Post-incident review: published within 14 days.

Reporting security issues to us: security@bytecode.team.