Trust Center

We take security as seriously as you do

Your source is among the most valuable data your company owns. This page is the full breakdown of how we handle it.

GDPR compliantSOC 2 Type II in progressISO 27001 in progressEphemeral scanning

0

Source code stored at rest

1–3 min

Per scan, then destroyed

24h

Security response time

Scan Lifecycle

How a scan works

Kolega doesn't store your code after analysis. Every scan runs in a fresh, isolated container. After the scan, the container and everything in it is destroyed.

  1. 01

    Select repos

    Connect via OAuth, choose the repos you want scanned.

  2. 02

    Temporary clones

    Each repo is cloned into a fresh, isolated container.

  3. 03

    Scan in 1–3 minutes

    Semantic analysis runs inside the container.

  4. 04

    Findings encrypted & masked

    Results extracted, sensitive data masked where needed.

  5. 05

    Container destroyed

    Your code is wiped along with the container.

That's the full lifecycle. Code enters, code gets scanned, code is destroyed.

Online scanning

For GitHub, GitLab, and other Git providers, we use OAuth with read-only scope by default. No refresh or access tokens are stored long-term in our database. A breach of Kolega would not result in your source code being downloadable, because we don't store your source code.

Self-hosted scanning

For teams that can't let code leave their infrastructure, Kolega can run entirely inside your VPC. Enterprise customers get a self-hosted runner — the engine scans on your hardware, results stay where you put them, and nothing about your code reaches us.

Talk to us about self-hosted
Compliance

Built to the standards your security team expects

Compliant

Privacy & GDPR

Kolega is fully compliant with the General Data Protection Regulation (GDPR). EU customer data is handled in line with EU data protection law.

Privacy Policy
In progress

Compliance frameworks

We are actively working toward ISO 27001 and SOC 2 Type II certification. Until those are completed, we maintain the same operational controls those frameworks require — documented internally and reflected in this page.

Request our current security overview
Data Practices

How we handle your data

What stays, what gets dropped, and what is off-limits — in plain English.

What we keep

  • Scan findings (severity, file path, line number, fix suggestions)
  • Account and billing data
  • Audit logs of scans run on your account

What we don't keep

  • Your source code, after the scan completes
  • Refresh tokens or long-lived access credentials (where the Git provider supports it)
  • Any data we don't need to deliver the product

What we never do

  • Train models on customer code
  • Share customer code with third parties
  • Use customer code for anything outside the scan it was uploaded for
Contact

Got a security or procurement question?

A real person responds within 24 hours. Whether you're filling out a vendor questionnaire or just want to know how a scan handles your code, we'll get back to you.

Email info@kolega.aiRequest security overview

Last updated: June 1, 2026