Encryption everywhere
TLS at every external boundary. Data at rest encrypted via AWS RDS, ClickHouse Cloud, and EBS defaults. Secrets live exclusively in AWS Secrets Manager.
Engineered for the security review.
We work with eng leaders who answer to security teams. Here's exactly how Launch Vectors handles data, auth, and the production path.
Least-privilege GitHub App
The App requests only metadata: read, pull_requests: read, contents: read, actions: read, and checks: write. No write access to your code.
Your diffs stay in GitHub
We score from PR metadata, file lists, and aggregate stats. Raw diff content is never persisted on our side - what we cache is hashable metadata only.
Audit logging
Every mutating action and every read of risk-score explanations is recorded with actor, timestamp, target, and payload hash. Audit log is exportable.
RBAC at the gateway
Three roles - admin, engineer, viewer - enforced at the API gateway before any scoring data is returned. GitHub OAuth issues short-lived JWTs.
Tenant isolation
Pilot data is logically isolated per org with row-level scoping. The architecture preserves the on-prem path for production buyers who require single-tenant.
SOC2 roadmap
The MVP is not SOC2-audited; we follow PRD guidance to be SOC2-ready (managed services with appropriate controls, documented control mapping, encryption everywhere) and pursue the audit post-pilot once production buyers commit. We'll share our control matrix on request under NDA.
On-prem option
Production deployment can run inside your AWS account or on-prem cluster. The architecture deliberately avoids managed-service lock-in beyond what has Helm-installable equivalents (Postgres, ClickHouse, Vault). Plan: pilot in our hosted tenant, production wherever your security team needs us.
Have a specific security question? Email [email protected].