Skip to main content

Our Privacy Principles

Krait follows four guiding principles across all product workflows:

Minimal Data Collection

Krait only collects the data required to perform vulnerability detection and deliver accurate security insights.
We do not collect or store unnecessary personal data.

Customer Ownership and Control

All data scanned through Krait, including repositories, container images and integration metadata, remains your property.
You control:
  • what gets scanned
  • how long data is retained
  • when resources or integrations are removed
  • who has access inside your workspace
Krait does not share customer data with third parties unless explicitly authorized. By connecting your repositories or code, you grant Krait a limited license solely to scan, analyze and store that data for security purposes. Vulnerability findings and reports generated from your code remain yours.

No Unauthorized Access

We never access your assets manually unless you grant temporary permissions. Automated scanning workflows happen inside secure processing environments, with strict access controls and audit trails.

Transparency at Every Step

Krait offers clear visibility into what we collect and how it is used. No hidden tracking, no silent monitoring and no use of customer data for training external AI models. We do not train our models with your data. Your source code and analysis results remain private and are never used for model training purposes.
Anonymized, aggregated scan data may be used to improve detection accuracy and analyze broad security trends, in a form that cannot reasonably identify your organization, repositories or findings.

What Data Krait Processes

Krait processes only the data required to identify security risks and support remediation. All data is used strictly for security analysis and platform functionality.

Account Information

When you register, Krait collects your email address, name or display name, and optional organization information. If you sign in via a third-party provider (Google, GitHub or GitLab), basic profile data is received subject to the permissions you grant.

Automatic Technical Data

The platform automatically collects technical metadata to operate and secure the service:
  • IP addresses and browser or device information
  • Referring URLs and pages visited
  • Session data and authentication activity
This data is captured through application and server logs.

Code & Repository Data

When you connect GitHub or GitLab repositories, Krait accesses repository names, URLs and metadata, commit history, file paths, source code contents, configuration files and CI/CD workflow files, using read-only access for security analysis.
  • Only the minimum necessary data is processed to detect vulnerabilities, insecure dependencies and misconfigurations.
  • Your full source code is not stored beyond what is needed for a scan.
  • Krait never modifies your repositories and does not push commits or changes.
  • Temporary copies used during analysis are deleted immediately after the scan completes.

Container Images & Packages

Container image scans capture image identifiers, registry references, operating system metadata, installed packages, Dockerfile information and vulnerability findings with CVE identifiers. Images are:
  • Scanned in secure, temporary environments
  • Not retained after analysis is complete

AI Deep Scan

Krait’s AI Deep Scan feature processes source code snippets and patterns, dependency information, infrastructure-as-code files and application logic to generate analysis results and remediation suggestions. This data is handled under the same privacy and security standards as all other code data.

Integration Metadata

Krait processes limited metadata from integrations such as Jira, Linear, Git providers and cloud platforms. This data is used only to:
  • Scan resources to find vulnerabilities
  • Link vulnerabilities to teams or projects
  • Create and synchronize tickets
  • Support remediation workflows
No integration data is used beyond these purposes.

Payment Data

Payment processing is handled by Stripe. Krait stores billing metadata such as customer ID, subscription status and plan information, but not full card details. Billing records are retained for 7 years to meet US tax compliance requirements.

How We Use Your Data

Krait uses collected data to:
  • Operate the service and manage user accounts
  • Authenticate and secure your account
  • Process subscriptions and payments
  • Provide customer support
  • Detect abuse and security threats
  • Send service updates and security notices
  • Improve platform features and scanning accuracy

Data Security & Storage

Encryption Standards

All data is protected at every layer:
  • In transit: TLS encryption on all connections
  • At rest: AES-256 encryption for stored data
Sensitive information such as tokens, keys or secrets is encrypted both in transit and at rest.

Storage Location

Data resides primarily in us-east-1 (US East, N. Virginia). EU storage options are planned for a future release.

Credential Handling

User credentials are securely hashed and never stored in plaintext. Krait avoids collecting or retaining personal data that is not required for security operations.

Access Controls

Within Krait’s infrastructure, access is minimal, role-specific and tightly controlled. The platform implements AWS IAM authentication, audit logging of data access and regular security monitoring and threat detection.

Your Control

You remain in full control of your data.
  • Repositories, resources and entire workspaces can be deleted at any time.
  • When deleted, all associated data is removed from Krait’s systems.
You are responsible for maintaining your own backups and for verifying scan accuracy before acting on findings.

Data Retention

Krait follows specific retention periods for each data category:
Data TypeRetention Period
Vulnerability findingsUntil the associated resource is disconnected
Scanned code and imagesTemporary copies deleted immediately after scan
Server logs7 days
Active account dataIndefinitely, until account deletion
Deleted account dataPurged within 30 days (backups retained up to 90 days)
Billing records7 years (US tax compliance)

Third-Party Sub-Processors

Krait uses the following sub-processors to deliver the service. Data Processing Agreements are maintained with each.
ServicePurposeData Shared
AWSCloud infrastructure and storageRepository metadata, scan results, logs
GitHub / GitLab APIsRepository accessRepository data and metadata
SlackNotificationsScan summaries and notification text
LinearTicket managementIssue metadata and ticket references
ResendEmail deliveryUser emails and notification content
StripePayment processingBilling information and customer ID
Krait is not responsible for the availability, functionality or security of third-party services integrated with the platform.

Your Rights

You may contact Krait at any time to:
  • Access your personal information
  • Correct inaccurate data
  • Restrict processing of your data
  • Export your data in a portable format
  • Object to specific processing uses
Verified requests are responded to within 30 days.

Regulatory Compliance

GDPR (EU / EEA / Switzerland)

Krait processes personal data on the bases of user consent, contractual necessity, legitimate business interests and legal compliance. Data Processing Agreements are available upon request. EU/EEA residents may lodge complaints with their local data protection authority.

CCPA (California)

Krait adheres to California Consumer Privacy Act requirements for the personal data of California residents.