Security & Data

Your code and data security is our top priority. This page outlines our security practices and data handling policies.

Data Handling

What We Don't Store

Source Code: Your code is never stored on our servers
Conversations: Claude conversations are not retained after sessions
Credentials: API keys and secrets remain on your machine
Personal Data: No PII collection beyond account information

What We Process

Transient Processing: Code is processed in memory only
No Training: Your code is never used to train models
Encrypted Transit: All data transmitted via TLS 1.3+
Local Storage: All persistent data stays on your machine

Security Measures

Infrastructure Security

SOC 2 Type II Certified: Annual third-party audits
Encryption: AES-256 at rest, TLS 1.3 in transit
Access Control: Role-based access with MFA
Monitoring: 24/7 security monitoring and alerts

Application Security

Code Isolation: Each session runs in isolation
Sandboxing: Tool execution in restricted environments
Input Validation: All inputs sanitized and validated
Rate Limiting: Protection against abuse

Local Security

# All sensitive data encrypted locally
~/.claude/
├── settings.json     # Encrypted if contains secrets
├── cache/           # Temporary, auto-cleared
└── logs/            # Rotated, no sensitive data

Best Practices

1. API Key Management

# Good: Use environment variables
export ANTHROPIC_API_KEY="your-key"

# Bad: Hardcode in files
apiKey: "sk-ant-..." # Never do this

2. Secret Protection

Use .claudeignore for sensitive files:

.env
*.key
*.pem
secrets/
credentials.json

3. Network Security

For enterprise environments:

{
  "proxy": "${HTTPS_PROXY}",
  "ssl": {
    "rejectUnauthorized": true,
    "ca": "/path/to/ca-bundle.crt"
  }
}

4. Access Control

Limit tool permissions:

{
  "allowedTools": [
    "Read",
    "Edit(src/*)",
    "!Bash(rm*)",
    "!Bash(sudo*)"
  ]
}

Compliance

Standards

SOC 2 Type II: Annually certified
GDPR: Full compliance for EU users
CCPA: California privacy rights respected
HIPAA: Business Associate Agreements available

Data Residency

US: Primary processing
EU: Available on request
Custom: Enterprise arrangements

Enterprise Security

Additional Features

SSO Integration: SAML 2.0, OIDC support
Audit Logging: Complete activity trails
Data Loss Prevention: Custom policies
Private Deployment: On-premise options

Security Controls

# Enterprise configuration example
security:
  authentication:
    type: saml
    provider: okta
    mfa_required: true
  
  data_protection:
    encryption_at_rest: true
    encryption_in_transit: true
    key_management: hsm
  
  access_control:
    ip_allowlist: ["10.0.0.0/8"]
    session_timeout: 30m
    max_sessions: 3
  
  audit:
    enabled: true
    retention_days: 365
    export_format: siem

Vulnerability Reporting

Responsible Disclosure

Found a security issue? Please report it:

Email: security@claudefast.com
PGP Key: Available on request
Response Time: Within 24 hours

Bug Bounty Program

We offer rewards for valid security findings:

Critical: Up to $10,000
High: Up to $5,000
Medium: Up to $1,000
Low: Up to $500

Incident Response

Our Process

Detection: Automated monitoring
Assessment: Security team evaluation
Containment: Immediate mitigation
Communication: User notification if affected
Resolution: Fix and prevention

User Notifications

Email: Primary contact method
Status Page: status.claudefast.com
In-App: For active users

Privacy

Data Collection

We collect minimal data:

Account Info: Email, name (optional)
Usage Metrics: Anonymous, aggregated
Error Reports: Sanitized, no code

Your Rights

Access: Request your data
Deletion: Remove your account
Portability: Export your data
Correction: Update information

Contact

Security Checklist

For Developers

Use environment variables for secrets
Enable MFA on your account
Regularly rotate API keys
Review tool permissions
Use .claudeignore for sensitive files

For Teams

For Enterprises

FAQ

Is my code safe?

Yes. Your code is:

Never stored on our servers
Never used for training
Processed only in memory
Transmitted encrypted

Can employees see my code?

No. Employees cannot access:

Your conversations
Your code
Your API keys
Your personal data

What about AI safety?

Models trained for helpfulness
Refusing harmful requests
No execution of malicious code
Continuous safety research

How do I delete my data?

In-app: Settings → Privacy → Delete Account
Email: privacy@claudefast.com
All data removed within 30 days

Updates

Security policies last updated: 2024-01-15

Subscribe to security updates:

RSS: claudefast.com/security.xml
Email: security-announce@claudefast.com

Data Handling​

What We Don't Store​

What We Process​

Security Measures​

Infrastructure Security​

Application Security​

Local Security​

Best Practices​

1. API Key Management​

2. Secret Protection​

3. Network Security​

4. Access Control​

Compliance​

Standards​

Data Residency​

Enterprise Security​

Additional Features​

Security Controls​

Vulnerability Reporting​

Responsible Disclosure​

Bug Bounty Program​

Incident Response​

Our Process​

User Notifications​

Privacy​

Data Collection​

Your Rights​

Contact​

Security Checklist​

For Developers​

For Teams​

For Enterprises​

FAQ​

Is my code safe?​

Can employees see my code?​

What about AI safety?​

How do I delete my data?​

Updates​