In short: Aikido does not store your code after analysis has taken place. Some of the analysis jobs such as SAST or Secrets Detection require a git clone operation. Below we talk about the technical measures we take to ensure your code is protected:
We perform risky actions such as git clones in a fresh docker container for each repository. After analysis, the data is wiped and the docker container is terminated.
For Github, no refresh or access tokens are ever stored in our database. We use the new GitHub Apps which do not require this. Even a database breach of Aikido itself would not result in your GitHub code being downloadable.
By default, our integrations require a very minimal read-only scope. Only if you enable special features such as Autofix Pull Requests will Aikido request write accesses.
Aikido has SOC2 Type 2 certification. A report is available upon request. That means we adhere to several organizational and technical policies by default.
Aikido runs on AWS in the EU-west-1 region in Ireland. That means all processing and storage will stay in that location.
The process we use to ensure code security: