This document provides technical detail on how FuzzCTO handles your source code
and data. It supplements our Privacy Policy.
1. Code access
| Method | GitHub OAuth (read-only scope) |
| Scope | repo:read on repositories you explicitly authorise |
| Write access | Never requested. FuzzCTO cannot modify your code. |
| Token storage | OAuth tokens are stored encrypted (AES-256) in Supabase with row-level security. |
2. Code processing pipeline
When you request a review, this is exactly what happens:
- Fetch: Your code is read from GitHub via their API using your OAuth token.
Files are streamed into memory on a Cloudflare Worker.
- Filter: Binary files, images, vendored dependencies, and files exceeding
size thresholds are excluded. Only source code and configuration files are analysed.
- Analyse: Filtered source code is sent to the Anthropic Claude API
along with the CTO review prompt. The prompt instructs the model to analyse code through
1-9 analytical lenses depending on the review type selected.
- Generate: The Claude API returns a structured review report. This report
is the deliverable you receive.
- Store report: The generated report is stored encrypted in Supabase
(PostgreSQL on AWS) and associated with your account.
- Discard code: Your source code is discarded from memory. It is
never written to disk, never stored in a database, and never cached.
3. Anthropic Claude API
Your code is sent to Anthropic's Claude API for analysis. Key facts about Anthropic's data handling:
- Anthropic does not train on API customer data.
- API inputs and outputs are retained for up to 30 days for trust and safety purposes, then deleted.
- Anthropic is SOC 2 Type II certified.
- Full details: Anthropic Privacy Policy and API Data Usage Policy.
4. Data storage
| Data type | Storage | Encryption | Retention |
| Source code | Not stored | N/A | Discarded after analysis |
| Review reports | Supabase (AWS) | AES-256 at rest, TLS in transit | Account lifetime (deletable on request) |
| OAuth tokens | Supabase (AWS) | AES-256 at rest, TLS in transit | Account lifetime (revocable any time) |
| Account data | Supabase (AWS) | AES-256 at rest, TLS in transit | Until account deletion |
| Payment records | Stripe | PCI DSS Level 1 | 7 years (UK tax law) |
5. Infrastructure security
- Cloudflare: DDoS protection, WAF, edge TLS termination. SOC 2 Type II, ISO 27001 certified.
- Supabase: PostgreSQL on AWS with row-level security (RLS), encrypted backups, SOC 2 Type II certified.
- Stripe: PCI DSS Level 1 compliant. Card data never touches our systems.
- Anthropic: SOC 2 Type II certified. Zero-retention API option available for enterprise.
Note: While all our infrastructure providers maintain SOC 2 certifications,
FuzzCTO itself does not currently hold a SOC 2 certification.
6. Data deletion
You can request complete data deletion at any time by emailing
fuzz@fuzzcto.ai.
Upon request, we will:
- Delete all review reports associated with your account.
- Revoke and delete your GitHub OAuth token.
- Delete your account record and associated data.
- Confirm deletion in writing within 30 days.
Payment records retained by Stripe for tax compliance cannot be deleted within the 7-year statutory period.
7. Contact
For data handling questions or to exercise your data rights, contact
fuzz@fuzzcto.ai.