How do you handle and store secrets?

All secret tokens are encrypted in transit using TLS. Once your secret tokens arrive in our servers, we encrypt them using AES-256 before storing them within our database. Our database is hosted on Google Cloud Platform, which is further encrypted at rest.

How and where is my source code stored?

Your source code is stored within a Google Cloud Storage container hosted in the United States (us-west-1). This container is hosted within a private VPC that is inaccessible to the public internet. Your source code is encrypted in transit from the code host to storage using TLS.

How are search results handled?

When submitting a search query, the results are encrypted in transit using TLS. We do not store search query result information anywhere on our servers.

How do you ensure that my source code isn't accessible to other Sourcebot Cloud users?

We implement multiple layers of security to ensure that your source code remains private to your organization:

• We don't store any account login information on our servers. The only way to login to Sourcebot Cloud is using OAuth or a login code that is sent to your email. These two login methods are mutually exclusive (i.e. if you chose to use OAuth, you cannot use the login code method).

• Any API that is used to retrieve or modify sensitive information requires encrypted JWT-based authentication.

• When we index your repositories, your unique Sourcebot organization identifier is baked into the generated index. When an individual makes a search query on Sourcebot Cloud, only the indexes that have their unique organization identifier baked into them are accessed. This system is built into zoekt, the underlying indexing system built by Google which Sourcebot uses.

What personal information do you collect and how is it stored?

Please visit our Privacy Policy page for more information on how we collect and store personal information.

Who has access?

We are a team of two software engineers who've worked on highly secure systems serving millions of DAUs at Google, Microsoft, and Meta. We're the only individuals who have access to the infrastructure. You can find us here: Michael Sukkarieh and Brendan Kellam.