Secbez Docs

Security & Privacy

How Secbez handles your code — boundary, secret redaction, audit trail, encryption.

Secbez is a security product. The Enterprise tier is designed so that customers with strict data-handling requirements can adopt it without compromising their security posture.

Code stays where you run it

In a self-hosted Enterprise deployment, your code never leaves your infrastructure. The graph engine, scan workers, dashboard, and storage all run inside your boundary. Outbound network calls are limited to the providers you explicitly configure (e.g., your chosen LLM endpoint, GitHub).

Air-gapped operation is supported on demand for customers who cannot allow any outbound network calls — details are scoped per engagement.

Secret safety

The pipeline maintains two views of every file: a raw view used by deterministic detection (which can see secrets) and a redacted view that is the only thing ever sent to an AI model. Secrets that get detected are masked at the boundary, and the publisher includes a defensive scrubber as a backstop.

The invariant is simple: no code path sends raw source content to an external AI call. Detected secrets are masked in finding evidence too — the dashboard shows the rule and location but never the secret value.

Audit trail

Important state changes — suppressions, baseline updates, policy changes, access events, license events — are recorded with actor, timestamp, target, and a stable event ID. The audit trail can be exported on demand.

Encryption

  • In transit — TLS for every external connection.
  • At rest — provided by your infrastructure (database / object storage encryption is configured at the platform layer).
  • Secrets — injected at runtime; not persisted in the application database.

Compliance posture

Self-hosted Enterprise deployments inherit the certification posture of the infrastructure they run on. Secbez supplies the technical controls (boundary control, audit, encryption, redaction) that support customer compliance work; we don't claim third-party certifications we don't currently hold.

If you have a specific compliance requirement, talk to your account contact — Enterprise engagements scope these requirements explicitly rather than relying on a published checklist.

Vulnerability disclosure

Secbez follows responsible disclosure for issues in its own software. Reach out to your account contact for the security disclosure address; advisories are delivered to the designated security contact at each customer.

On this page

Code stays where you run itSecret safetyAudit trailEncryptionCompliance postureVulnerability disclosure