Privacy & Security

Your code is yours. We built RuyiGuard with privacy as a core principle.

Last updated: March 29, 2026

TL;DR — Our Privacy Commitment

  • Your source code is never stored on our servers
  • Your code is never used to train any AI/ML models
  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Code is processed in memory only and discarded after scan
  • We use Anthropic's Claude API with zero-retention data policy

How Code Scanning Works

When you push code or trigger a scan, here's exactly what happens:

  1. Code retrieval: We fetch the relevant files from your repository via the GitHub API using the permissions you granted during installation. Only changed files in the PR/push are fetched.
  2. L1 Static Analysis: Your code is first scanned by our deterministic rule engine (pattern matching). This runs entirely in our secure infrastructure — no external API calls. The rule engine checks for SQL injection patterns, hardcoded secrets, XSS vectors, missing authentication, and weak cryptography.
  3. L2 LLM Analysis (Pro/Team only):For deeper analysis, code snippets are sent to Anthropic's Claude API for contextual vulnerability detection. We use Anthropic's zero-retention API tier — your code is processed in real-time and never stored or used for model training.
  4. Results generation: Scan results (severity, description, fix suggestions) are generated and stored. Only the metadata is retained — never the source code itself.
  5. Cleanup: All in-memory copies of your source code are immediately discarded after the scan completes. Typical processing time is under 10 seconds.

Data We Store

We store only what's necessary to provide the service:

Data Type
Stored?
Retention
Source code
❌ Never
N/A
Scan results
✓ Yes
90 days
File paths & line numbers
✓ Yes
90 days
Account info
✓ Yes
Until deletion
Usage metrics
✓ Yes
12 months

LLM & AI Data Policy

Our L2 analysis uses Anthropic's Claude API. Here's how we ensure your code stays private:

  • Zero-retention tier:We use Anthropic's enterprise API with contractual guarantees that prompts and completions are not stored, logged, or used for training.
  • Minimal context: We send only the relevant code snippet (not your entire repo). Typical context is 50-200 lines.
  • No PII: We strip comments and strings that might contain personal data before sending to the LLM.
  • Encrypted transit: All API calls use TLS 1.3 encryption.

Infrastructure & Security

  • Hosted on SOC 2 Type II certified infrastructure
  • All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • GitHub App uses minimal required permissions (read-only code access)
  • Regular third-party security audits
  • Bug bounty program available

Your Rights

You can at any time:

  • Revoke access: Uninstall the GitHub App to immediately stop all scanning
  • Delete data: Request deletion of all scan history and account data
  • Export data: Download your scan history in JSON/SARIF format
  • Opt out of L2: Use L1-only scanning if you prefer no LLM analysis

Contact

Questions about privacy or security? We're happy to help.

privacy@ruyiguard.ai
security@ruyiguard.ai (for vulnerability reports)
DPO: dpo@ruyiguard.ai (GDPR inquiries)