Security

We Analyze Security. We Don't Store Your Code.

Patchlynx performs reachability analysis on your lockfile and call-site metadata. Your source code is never transmitted to our servers, never stored, and never used to train models. We're a security company — our architecture has to be defensible.

Data Handling

What Patchlynx accesses — and what it never touches

We operate on a minimal-data principle: only what is necessary for reachability analysis is transmitted to our systems. Everything else stays on your infrastructure.

What Patchlynx reads

  • Lockfiles (package-lock.json, yarn.lock, etc.)
  • Package manifests (package.json, requirements.txt, etc.)
  • Entry point configuration (.patchlynx.yml)
  • PR metadata (title, branch, commit SHA)

What we never access

  • Your source code (not transmitted to our servers)
  • Credentials, secrets, or environment variables
  • Issue content, PR comments, or code review discussions
  • Org-wide repository list (scoped to installed repos only)

Infrastructure

  • Hosted on AWS (us-east-1 primary)
  • Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Analysis runs in ephemeral isolated sandboxes
  • Scan data retained for 90 days, then purged

Access controls

  • Role-based access control (RBAC) on all resources
  • MFA required for all internal accounts
  • Principle of least privilege across all services
  • Audit logs retained for 1 year
Responsible Disclosure

Report a vulnerability

If you discover a security vulnerability in Patchlynx — in our web application, API, analysis pipeline, or infrastructure — please report it responsibly. We take every report seriously and commit to a 48-hour acknowledgment and timely remediation.

Email: [email protected]

We ask for reasonable time to address issues before public disclosure (typically 90 days unless severity warrants earlier coordination). We will credit responsible disclosures in our changelog with your preferred attribution. We do not pursue legal action against researchers acting in good faith.

Out of scope: rate limiting on public pages, clickjacking on pages without authentication actions, missing HTTPS on third-party services. Please review our full disclosure policy before reporting.

Questions about our security architecture?

We're happy to walk through our architecture and data handling practices in detail. Email [email protected] or use the contact form. We don't have a generic security one-pager — we answer specific questions.

Contact us