Security Policy

Last updated: March 18, 2026

1. Introduction

At Korekt, Inc. ("Korekt," "we," "us," or "our"), security is foundational to how we build and operate our AI-powered code review platform. We understand that our customers trust us with access to their source code and development infrastructure, and we take that responsibility seriously.

This Security Policy describes the measures we implement to protect your data, how we manage vulnerabilities, and how we respond to security incidents.

2. Infrastructure Security

Our platform is hosted on Google Cloud Platform (GCP), leveraging GCP's physical security, data center controls, and network infrastructure.

  • Firewall rules — Firewall rules restrict inbound traffic to only necessary ports and protocols
  • Database access — The database is not exposed to the public internet
  • OS maintenance — The application server OS is kept up to date with security patches applied during regular maintenance windows

3. Data Protection

Encryption in transit: All data transmitted between clients and our platform is encrypted using HTTPS/TLS. API endpoints and the web interface are served over HTTPS only.

Encryption at rest:

  • Integration credentials (VCS tokens, issue tracker credentials) are encrypted using AES-256 before storage
  • User passwords are hashed with bcrypt using appropriate work factors and are never stored in plain text

Data minimization:

  • We request only the minimum permissions necessary from third-party integrations
  • VCS connections are read-only except where write access is required for posting review comments
  • Sensitive values (API keys, tokens, passwords) are filtered from application logs

4. Application Security

  • Authentication — Token-based API authentication with automatic expiration. Session management with secure, HTTP-only cookies for the web interface
  • Authorization — Role-based access control (RBAC) with organization-scoped data isolation. Users can only access data belonging to their organization
  • Input validation — All user input is validated and sanitized server-side. Database queries use parameterized statements to prevent injection attacks
  • Webhook verification — Incoming webhooks from VCS providers are validated using HMAC signature verification to ensure authenticity
  • Dependency management — Third-party dependencies are regularly updated and reviewed before deployment

5. AI Processing Security

Code submitted for review is processed by Google's Gemini API. Our AI integration is configured with the following security considerations:

  • No training on your data — Your code is not used to train or improve AI models. Processing is done on a per-request basis only
  • No persistent storage by AI provider — Code sent to the Gemini API is not retained by Google after processing is complete
  • Secure transmission — All communication with the Gemini API occurs over encrypted TLS connections
  • Scoped access — Only the specific code diffs under review are sent for analysis, not your entire repository

6. Vulnerability Management

We take a proactive approach to identifying and addressing security vulnerabilities:

  • Code review — Code changes are reviewed with attention to security implications before deployment
  • Patch management — Critical security patches for application dependencies and the operating system are applied promptly. Non-critical updates are applied during regular maintenance cycles
  • Infrastructure updates — Managed runtime environments receive automatic security updates from the cloud provider

7. Incident Response

Security incidents are managed by the company's security lead, who is responsible for coordinating the response and all communications with affected parties.

In the event of a security incident, we follow a structured response process:

  1. Detection & triage — Identify the scope and severity of the incident and classify it (critical, high, medium, low)
  2. Containment — Take immediate action to limit the impact, including isolating affected systems and revoking compromised credentials as needed
  3. Investigation — Determine the root cause, assess what data was affected, and identify remediation steps
  4. Remediation — Implement fixes to resolve the vulnerability and prevent recurrence
  5. Notification — Affected customers will be notified within 72 hours of a confirmed incident involving their data. Notifications will include a description of the incident, the types of data affected, the steps taken to address it, and recommended actions for affected users
  6. Post-mortem — Document the root cause, timeline, impact, and corrective actions taken. Findings are used to update security controls and prevent recurrence

To report a security concern or incident, contact security@korekt.ai.

8. Access Control

  • Multi-tenant isolation — Customer data is logically separated by organization. Application-level controls enforce that database queries are always scoped to the authenticated user's organization
  • Role-based access — Authorization is enforced through role-based access control, ensuring users can only perform actions appropriate to their role within an organization
  • Production access — Direct access to production systems and databases is restricted to key-based authentication

9. Business Continuity

  • Backups — Database backups are performed automatically on a regular schedule
  • Monitoring — We monitor platform health and availability, with alerting configured for anomalies and outages

10. Reporting a Security Vulnerability

If you discover a security vulnerability in our platform, we encourage responsible disclosure. Please report it to us at:

security@korekt.ai

We ask that you:

  • Provide a detailed description of the vulnerability, including steps to reproduce
  • Allow us reasonable time to investigate and address the issue before public disclosure
  • Avoid accessing or modifying other users' data during your research

We commit to acknowledging receipt of vulnerability reports within 2 business days and will keep you informed of our progress toward resolution.

11. Policy Updates

We review and update this Security Policy periodically to reflect changes in our practices, technology, and regulatory requirements. Updates will be posted on this page with a revised "Last updated" date.

12. Contact

For security-related questions or concerns, please contact us:

Korekt, Inc.
Security: security@korekt.ai
General: hello@korekt.ai