How GhostCode handles access, findings, and client data.
Security work should start with boundaries. This page explains what access is needed, what access is not needed, how findings are delivered, retention expectations, confidentiality, and responsible disclosure.
Data handling policy
- We collect only the project context needed to assess agreed security scope.
- Preliminary scan submissions may include website URL, email, and generated risk-signal summary.
- Findings are delivered in founder-readable language with developer-ready remediation guidance.
- Data retention is limited to the period needed for intake, delivery, follow-up, and legal or accounting records.
What access is needed
- Public website URL for preliminary exposure estimates
- Scoped read-only project context for deeper audits when required
- Staging access or guided walkthroughs when production access is not appropriate
- Secure intake before code, logs, credentials, or architecture documents are shared
What access is not needed
- Do not send secrets before secure intake.
- We do not need production database credentials for the preliminary scan.
- We do not need service role keys in plain email or chat.
- We do not need permanent admin access unless separately scoped and approved.
Confidentiality, delivery, retention, and disclosure.
Confidentiality / NDA available before sensitive materials are shared. Service work should be covered by a separate agreement that defines scope, access, timelines, and retention.
Findings are delivered as prioritized attack paths, remediation tasks, and verification notes. Preliminary scan results are estimates and not full penetration tests.
Client data is retained only as long as needed for delivery, follow-up, business records, and agreed support. Exact retention windows can be defined during intake.
Responsible disclosure contact placeholder: hello@ghostcode.security. Do not include secrets or exploit payloads in an initial email.
Explore GhostCode
Scan
Run a preliminary exposure estimate for your AI-built SaaS and see recommended checks across Supabase RLS, auth, APIs, storage, webhooks, secrets, business logic, and admin routes.
Security Quiz
Take the free GhostCode Security Quiz to find likely blind spots in your AI-built SaaS and get the GhostCode Audit Checklist.
Audit Checklist
A practical SaaS security checklist for AI-assisted founders covering Supabase, auth, APIs, storage, secrets, webhooks, and business logic.
Services
Compare GhostCode Security services: GhostScan Audit, GhostFix Sprint, and GhostShield Retainer for AI-assisted SaaS teams.
Supabase Security
Supabase security audits for RLS policies, anon key exposure, storage buckets, service role handling, Edge Functions, APIs, and app permissions.
AI Code Security
Security audits for AI-generated SaaS built with Lovable, Bolt, Replit, Cursor, Claude, Codex, and similar AI-assisted development tools.
Case Studies
Coming soon: anonymized GhostCode Security teardowns covering exposed Supabase policies, public buckets, admin route leaks, API abuse paths, and payment or webhook issues.
Book
Book a GhostCode Security call to review your AI-built SaaS, likely exposure paths, access needs, and next security steps.