FACET

Security

How we protect your code and your account.

Facet’s entire reason to exist is judging code without putting it at risk. These are the measures in place today. For exactly what we collect and who processes it, see the Privacy Policy.

Your source code is never stored

We process the file you submit just long enough to measure it, then discard it. We do not keep a copy of your source, and we never use it to train a model. What we retain is derived measurements about the code (per-indicator findings, the line numbers they sit on, short notes, and a one-way content hash), never the code itself.

Encrypted in transit and at rest

Every connection to Facet runs over TLS. The account data and derived measurements we do keep live in a managed Postgres database that is encrypted at rest.

Every account is isolated

Access is default-deny: a request reaches your data only with a valid signed session, which we verify against your identity provider’s public keys. The database enforces row-level security, so one account can never read another’s rows, and report links are unguessable rather than sequential. Private reports are owner-only unless you explicitly share them.

Your client never holds provider keys

Only our backend talks to the model providers. The web app, the CLI, and the editor extension carry no API keys for any provider, so there is nothing in your client for an attacker to lift.

We screen submissions and bound them

Before any code leaves our backend we run a pre-flight scan and refuse submissions that look like they contain live secrets, and we cap the size of a submission to keep the service stable. Treat the scan as a safety net, not a guarantee: please do not paste live secrets or other people’s personal data.

Third-party analysis is disclosed and consented

To measure your code we send it, over an encrypted connection, to third-party model providers for analysis, and you confirm that each time you profile. We design those requests to minimise retention. The full disclosure, including the providers involved and your choices, is in the Privacy Policy. If your code must never leave your own boundary, a self-hosted option is on our roadmap.

We keep the supply chain clean

Our build pipeline runs automated secret scanning and dependency auditing on every change, and we track and address security advisories in the libraries we depend on.

Reporting a problem

If you believe you have found a security issue, please email kareem.soliman@firasa.com.au with the details. We welcome responsible disclosure and will work with you to confirm and fix it.

See also our Privacy Policy and Terms of Service.