Trust & Safety

Security

Last updated: May 2026

How scans work

When you submit a repository, the code is fetched and processed inside an isolated, ephemeral sandbox. Each sandbox is a separate environment with no access to the internet, no access to other users' data, and no persistence beyond the current session.

At the end of every scan — whether it completes successfully or fails — the sandbox is destroyed. Your source code never touches our production infrastructure and is never written to any persistent storage.

Data handling

Scan results (findings, severity levels, remediation plans) are stored encrypted at rest. We use industry-standard encryption for data in transit and at rest.

Source code is never persisted. The only artefact of a scan that we store is the structured findings report — the list of issues found, their locations, and suggested remediations. The actual file contents are never retained.

What we never do

We never execute your code outside of the isolated sandbox environment. We never access your production environment, your secrets manager, your database, or any infrastructure connected to your repository.

We never share your scan results with third parties, and we never use your findings data to train external models.

What we scan for

UniDeploy checks for issues in the OWASP Top 10, including broken access control, cryptographic failures, injection vulnerabilities, and security misconfiguration. It also checks specifically for secrets exposure (hardcoded API keys, service role credentials), authentication logic errors, database access policy misconfigurations, and missing security headers.

Our detection rules are deterministic — each finding is based on a specific pattern in your code, not a probabilistic model. This means low false-positive rates and reproducible results.

Responsible disclosure

If you discover a security vulnerability in UniDeploy itself — not in a scanned repository, but in our own product — please report it to us. We aim to respond within 48 hours and to remediate confirmed issues within 7 days.

Contact us via: cal.com/rahulpandey187/unideploy-demo. Please include a description of the vulnerability, steps to reproduce it, and your assessment of the potential impact. We do not currently offer a bug bounty, but we will credit you in our changelog if you consent.