SigilixSigilix

Security

Your code is ephemeral. Our architecture guarantees it.

Reviewing private code requires an explicit data-handling promise, not a paragraph in a terms-of-service PDF. Below is exactly what touches our servers, exactly how long it stays, and exactly which compliance work is real versus aspirational.

01Zero retention

No storage. No training. No exceptions.

Every Sigilix review runs in an isolated compute container. Code is fetched via scoped GitHub tokens, held in memory only for the duration of the review, and discarded within 60 seconds of completion. We do not train models on your code. We do not vectorize your repositories into a shared database. We do not retain logs containing file contents.

  1. GitHub PR

    Source of truth

  2. Sigilix API

    TLS termination

  3. Review worker

    Memory only · ≤ 60s

  4. LLM provider

    Zero retention

  5. /dev/null

    Discarded

02Trust boundary

Where your data goes — and where it stops.

We split data into three categories: what touches Sigilix, what touches upstream LLM providers, and what stays inside your GitHub. The third category is the largest by far.
ActorData seenRetention
Sigilix workerDiff hunks, file context, PR metadataIn memory only · purged ≤ 60s after review
Sigilix telemetryAggregate counters: review count, latency, model errors90 days · no file content
LLM providers (DeepSeek, Kimi)Diff hunks + retrieval context for the active specialistZero-retention via commercial inference contracts; never used for training
Your GitHubThe full review (verdict, findings, suggested patches)Persistent — owned by you, auditable in the PR
03Permissions

Least privilege. No write scopes by default.

Sigilix asks for the minimum set of GitHub App scopes to read PRs and post review comments. Anything broader is opt-in and only granted to features you explicitly enable.

Read access to pull requests

To fetch the diff and post inline comments.

Read access to repository contents

For limited retrieval of the surrounding files cited in a review.

Read access to org members

So Core can attribute reviews to authors and respect org-level rules.

Write access to pull request reviews

To post the verdict and inline findings as a single review.

Write access to repository contents

We never write to your files. Not used; never requested.

Admin: org

Never used. Sigilix has no need to modify org settings.

Webhook creation

Sigilix runs as a GitHub App with delivery via the App webhook — no per-repo webhook creation.

04Compliance

Honest status. No badges we haven't earned.

We'd rather tell you exactly where we are than buy a logo. Below is our compliance roadmap — what we've completed, what is in progress, and what is intentionally postponed because we are too small to run it responsibly today.
  1. Security architecture reviewCompleted

    Internal review by an external advisor. Hardened secret handling, ephemeral inference, and request-level isolation.

  2. SOC 2 Type IIIn progress

    In progress with a Big-Four-adjacent firm. Target audit window: Q4 2026. Bridge letter available on request.

  3. Annual penetration testIn progress

    Scoped to the Sigilix worker, GitHub App, and dashboard. Engagement booked for Q3 2026.

  4. Bug bounty programPlanned

    Postponed until post Series-A. We won't run a bounty we can't triage in 24h. Email security@arcanchor.com for responsible disclosure today.

  5. HIPAA / FedRAMP / SOC 2 Type II refreshPlanned

    Driven by enterprise customer requirements. We pursue certifications when a paying customer needs them, not before.

Read the architecture. Then read the proof.

Sigilix is built on the assumption that customers should never have to take security claims on faith.

See the architectureStart reviewing
BenchmarksSign up
Last updated 2026-05-04