Back

Privacy Policy

Last updated: April 14, 2026  ·  Effective: April 14, 2026

Overview

SASTRA is a static application security testing tool. This policy explains what data we handle when you use it, how we handle it, and what rights you have over it.

The short version: you submit code to be scanned for vulnerabilities. We run the analysis and immediately discard the source code - it is never written to our database. Only the scan results (vulnerability findings and metadata) are saved, so you can refer back to them later. Scan records are deleted automatically after 90 days.

This policy applies to all users of SASTRA regardless of how you access it.

What we collect

We collect only what is necessary to run the service.

Account credentials
Your username and a bcrypt hash of your password. We never store your password in plaintext.
Submitted code
Source files or code snippets you upload or paste. Used only to run the scan - discarded immediately after results are generated. Never written to the database.
Scan metadata
Filename, language, timestamp, and severity counts associated with each scan.
Findings
Matched vulnerability rules, CWE identifiers, severity ratings, and the relevant code snippets flagged during analysis.
Session token
A JWT stored in an HttpOnly cookie. Used to keep you authenticated. Cleared on logout.
Application logs
Request timestamps and error messages for operational monitoring. Source code is never written to logs.

Your code

We understand that source code is often proprietary. It may contain business logic, unreleased features, or confidential implementation details belonging to you or your organization.

Your source code is never stored. The moment the scan completes, the uploaded file or pasted code is discarded from memory. What persists in the database are only the results - vulnerability findings, severity ratings, CWE identifiers, and scan metadata - not the original source.

  • Your code is used only to perform the scan, then immediately discarded.
  • It is never written to our database, logged, or retained in any form after the scan completes.
  • It is never sold, licensed, or disclosed to any third party.
  • It is never used to train or fine-tune any machine learning model. SASTRA's ML model is trained exclusively on publicly available open-source datasets.
  • It is not sent to any external service unless you explicitly click Get AI Fix on a specific finding. In that case, only the minimal code snippet for that finding is transmitted - not your full file.
Note for teams and organizations: Before uploading code, ensure you have the authority to submit it to a third-party service. If the code belongs to a client or is covered by an NDA or open-source license with redistribution restrictions, verify that using SASTRA complies with those obligations.

How we use your data

We use data collected through SASTRA solely for the following purposes:

  • Running vulnerability scans on the code you submit
  • Authenticating your identity and protecting your account
  • Generating in-app results and downloadable PDF reports
  • Maintaining your scan history so you can review past results
  • Monitoring application health, diagnosing errors, and fixing bugs
  • Detecting and preventing abuse or unauthorized access

We do not use your data for advertising, profiling, analytics sold to third parties, or any purpose not listed here.

Retention

Different data is kept for different lengths of time:

  • Source code - never stored. Discarded immediately after the scan completes.
  • Scan findings and metadata (vulnerability results, severity ratings, CWEs, filename, timestamps) - retained so you can review past scans. Deleted automatically 90 days after the scan date.
  • Account credentials - kept for as long as your account exists. You can request deletion at any time.
  • Application logs - rotated automatically at 10 MB per file, five files maximum. Logs contain no source code.
  • Database backups - created daily and rotated on a short cycle.

If you delete your account, all scans, findings, and credentials associated with it are removed from the database.

Sharing

We do not sell or share your personal data or source code. The only circumstances in which data leaves our system are:

  • AI code fix (opt-in only): If you click Get AI Fix, a small code snippet for that specific finding is sent to the configured LLM endpoint (NVIDIA NIM by default). This is always a deliberate, per-finding action. The snippet is not retained beyond the API response.
  • Legal process: If we are required by law, regulation, or a valid court order to disclose data, we will do so only to the extent required and will notify you where legally permitted.

There are no third-party analytics scripts, advertising networks, or tracking pixels embedded in SASTRA.

Security

We take reasonable steps to protect the data you entrust to us:

  • Passwords are hashed with bcrypt. Plaintext passwords are never stored or logged.
  • Session tokens are issued as HttpOnly, SameSite cookies, reducing exposure to XSS attacks.
  • Scans are tied to individual accounts. No scan is accessible to another user.
  • Application logs are scrubbed of source code content.
  • The database is backed up daily to reduce the risk of data loss.

No system can guarantee complete security. We recommend not uploading code that contains live credentials, API keys, or secrets - those should be rotated regardless of where the code is shared.

Your rights

You have the following rights with respect to your data:

  • Access: View all your scans and findings from the dashboard at any time.
  • Download: Export any scan result as a PDF report from the scan results page.
  • Deletion: Delete individual scans from your scan history, or request full account deletion by contacting us.
  • Correction: Update your username or password from the Settings page.
  • Opt-out of AI features: The AI code-fix feature is entirely opt-in. You can use every other part of SASTRA without your code ever leaving our servers.

To exercise any right not available directly in the application, contact the administrator of your SASTRA deployment.

Cookies and local storage

SASTRA uses browser storage only where necessary:

  • Authentication cookie - an HttpOnly, SameSite=Lax JWT set on login. Required for the application to function. Cleared on logout.
  • Theme preference (localStorage) - stores your light or dark mode selection. Contains no personal data.
  • Session username (sessionStorage) - your display name, used in the UI. Cleared when the browser tab closes.

We do not use advertising cookies, cross-site trackers, or browser fingerprinting.

Changes to this policy

If we make material changes to how we handle your data, we will update the date at the top of this page and display a notice within the application. For significant changes - particularly anything affecting how submitted code is handled - we will ask you to review and re-accept the updated policy before continuing.

Continuing to use SASTRA after a policy update constitutes acceptance of the revised terms.

Contact

For questions about this policy, data access requests, or account deletion, contact the administrator of your SASTRA deployment.

If you believe a privacy violation has occurred, you have the right to raise a complaint with the relevant data protection authority in your jurisdiction.

SASTRA · Privacy Policy · April 14, 2026 Sign up  ·  Sign in