Our Privacy Principles
Krait follows four guiding principles across all product workflows:Minimal Data Collection
Krait only collects the data required to perform vulnerability detection and deliver accurate security insights.We do not collect or store unnecessary personal data.
Customer Ownership and Control
All data scanned through Krait, including repositories, container images and integration metadata, remains your property.You control:
- what gets scanned
- how long data is retained
- when resources or integrations are removed
- who has access inside your workspace
No Unauthorized Access
We never access your assets manually unless you grant temporary permissions. Automated scanning workflows happen inside secure processing environments, with strict access controls and audit trails.Transparency at Every Step
Krait offers clear visibility into what we collect and how it is used. No hidden tracking, no silent monitoring and no use of customer data for training external AI models. We do not train our models with your data. Your source code and analysis results remain private and are never used for model training purposes.Anonymized, aggregated scan data may be used to improve detection accuracy and analyze broad security trends, in a form that cannot reasonably identify your organization, repositories or findings.
What Data Krait Processes
Krait processes only the data required to identify security risks and support remediation. All data is used strictly for security analysis and platform functionality.Account Information
When you register, Krait collects your email address, name or display name, and optional organization information. If you sign in via a third-party provider (Google, GitHub or GitLab), basic profile data is received subject to the permissions you grant.Automatic Technical Data
The platform automatically collects technical metadata to operate and secure the service:- IP addresses and browser or device information
- Referring URLs and pages visited
- Session data and authentication activity
Code & Repository Data
When you connect GitHub or GitLab repositories, Krait accesses repository names, URLs and metadata, commit history, file paths, source code contents, configuration files and CI/CD workflow files, using read-only access for security analysis.- Only the minimum necessary data is processed to detect vulnerabilities, insecure dependencies and misconfigurations.
- Your full source code is not stored beyond what is needed for a scan.
- Krait never modifies your repositories and does not push commits or changes.
- Temporary copies used during analysis are deleted immediately after the scan completes.
Container Images & Packages
Container image scans capture image identifiers, registry references, operating system metadata, installed packages, Dockerfile information and vulnerability findings with CVE identifiers. Images are:- Scanned in secure, temporary environments
- Not retained after analysis is complete
AI Deep Scan
Krait’s AI Deep Scan feature processes source code snippets and patterns, dependency information, infrastructure-as-code files and application logic to generate analysis results and remediation suggestions. This data is handled under the same privacy and security standards as all other code data.Integration Metadata
Krait processes limited metadata from integrations such as Jira, Linear, Git providers and cloud platforms. This data is used only to:- Scan resources to find vulnerabilities
- Link vulnerabilities to teams or projects
- Create and synchronize tickets
- Support remediation workflows
Payment Data
Payment processing is handled by Stripe. Krait stores billing metadata such as customer ID, subscription status and plan information, but not full card details. Billing records are retained for 7 years to meet US tax compliance requirements.How We Use Your Data
Krait uses collected data to:- Operate the service and manage user accounts
- Authenticate and secure your account
- Process subscriptions and payments
- Provide customer support
- Detect abuse and security threats
- Send service updates and security notices
- Improve platform features and scanning accuracy
Data Security & Storage
Encryption Standards
All data is protected at every layer:- In transit: TLS encryption on all connections
- At rest: AES-256 encryption for stored data
Storage Location
Data resides primarily in us-east-1 (US East, N. Virginia). EU storage options are planned for a future release.Credential Handling
User credentials are securely hashed and never stored in plaintext. Krait avoids collecting or retaining personal data that is not required for security operations.Access Controls
Within Krait’s infrastructure, access is minimal, role-specific and tightly controlled. The platform implements AWS IAM authentication, audit logging of data access and regular security monitoring and threat detection.Your Control
You remain in full control of your data.- Repositories, resources and entire workspaces can be deleted at any time.
- When deleted, all associated data is removed from Krait’s systems.
Data Retention
Krait follows specific retention periods for each data category:| Data Type | Retention Period |
|---|---|
| Vulnerability findings | Until the associated resource is disconnected |
| Scanned code and images | Temporary copies deleted immediately after scan |
| Server logs | 7 days |
| Active account data | Indefinitely, until account deletion |
| Deleted account data | Purged within 30 days (backups retained up to 90 days) |
| Billing records | 7 years (US tax compliance) |
Third-Party Sub-Processors
Krait uses the following sub-processors to deliver the service. Data Processing Agreements are maintained with each.| Service | Purpose | Data Shared |
|---|---|---|
| AWS | Cloud infrastructure and storage | Repository metadata, scan results, logs |
| GitHub / GitLab APIs | Repository access | Repository data and metadata |
| Slack | Notifications | Scan summaries and notification text |
| Linear | Ticket management | Issue metadata and ticket references |
| Resend | Email delivery | User emails and notification content |
| Stripe | Payment processing | Billing information and customer ID |
Your Rights
You may contact Krait at any time to:- Access your personal information
- Correct inaccurate data
- Restrict processing of your data
- Export your data in a portable format
- Object to specific processing uses