ShipSafe is the independent verifier for AI-built apps. The tool that built your app can't grade its own work, so ShipSafe checks it from the outside: it reads your code and probes your deployed app the way a stranger on the internet would, then proves what is actually exposed, in plain English. Built for apps made with Cursor, Lovable, Bolt, v0, and Replit. Paste a GitHub URL or a live URL and get a report in minutes.

How does ShipSafe work?

ShipSafe verifies your app two ways. It reads your code (or GitHub repo) for logic-level bugs like inverted auth and missing ownership checks, and it probes your deployed app from the public internet the way an attacker would: missing security headers, secrets leaked into the browser bundle, database tables and storage readable with no login, and IDOR across two test accounts. Every finding comes with the proof and a plain-English fix.

Yes. ShipSafe offers a free plan with 3 scans per month, no credit card required. Paid plans start at $9 for a one-time AI audit; Growth ($19/month) and Shield ($39/month) add continuous monitoring plus the CLI, MCP server, and GitHub Actions so you can scan from your terminal, your AI editor, and CI.

What vulnerabilities does ShipSafe detect?

ShipSafe detects IDOR (Insecure Direct Object References, proven across two real accounts), inverted authentication logic, frontend-only role checks, hardcoded API keys and secrets (and whether a leaked key still works right now), SQL injection, cross-site scripting (XSS), CSRF, and the data-exposure bugs that dominate AI-built apps: Supabase tables, Storage buckets, and database functions, plus Firebase databases, that a stranger can read with no login. It proves these from the public internet, not just by reading code. In our scan of 100 AI-built apps, 67% had at least one critical vulnerability.

Cursor the editor is SOC 2 Type II certified. However, three CVEs were published against it in 2025, and the code it generates contains vulnerabilities roughly 45% of the time according to Stanford research. ShipSafe is built to catch the security issues that Cursor's AI introduces into your codebase.

How is ShipSafe different?

The tool that built your app can't independently vouch for it, and a code-only scanner can't see what's exposed on the live internet. ShipSafe is the independent verifier: it reads your code and probes your deployed app from the outside, proving leaked keys that still work, database tables and storage readable by anyone, and IDOR across two real accounts, with the receipt. It is specifically tuned for the patterns Cursor, Lovable, and Bolt generate.

Legal

Privacy Policy

Last updated: June 2026

1. Introduction

ShipSafe ("we," "us," or "our") operates the ship-safe.co website and related services. ShipSafe is a SaaS security scanner designed for applications built with AI-assisted coding tools such as Cursor, Lovable, Bolt, and v0. You paste a GitHub repository URL, and ShipSafe scans your code to generate a plain-English security report.

This Privacy Policy explains what data we collect, how we use it, and the choices you have. By using ShipSafe, you agree to the practices described in this policy.

2. Information We Collect

Account Information

When you sign up via GitHub OAuth (powered by Clerk), we receive your name, email address, and GitHub profile information. We do not collect or store your GitHub password.

Repository Data

When you initiate a scan, we access the source code of the specified GitHub repository through the GitHub API. Source code is processed during the scan and is not stored permanently. Only the resulting security report and metadata (e.g., repository name, scan timestamp, findings) are retained.

GitHub OAuth Scope Disclosure: ShipSafe requests the repo OAuth scope from GitHub. This scope grants both read and write access to your repositories, including private repositories. However, ShipSafe only uses read access to fetch source code for security scanning. We do not modify, push to, or delete any repository content. The broad repo scope is required because GitHub does not offer a read-only OAuth scope for private repositories. You can revoke ShipSafe's access at any time from your GitHub Settings > Applications.

Live-URL Scan Data

If you use the live-URL scan, we collect the application URL you submit and your confirmation that you are authorized to scan it. Our servers then make read-only requests to that URL and its public assets (such as JavaScript bundles). The retrieved content is analyzed in memory and is not stored; we retain only the resulting findings (the type and location of each issue) together with the submitted URL. Content from a live-URL scan is not sent to any third-party AI provider.

Usage Data

We collect standard usage information such as pages visited, scan frequency, feature usage, browser type, and device information to improve the service.

Payment Information

Payments are processed by Polar. We do not store your credit card number, CVC, or full card details on our servers. Our payment processor provides us with limited information such as the last four digits of your card, card brand, and billing address for record-keeping purposes.

3. How We Use Your Information

Provide and operate the service — running security scans, generating reports, and managing your account.
Improve the service — analyzing usage patterns to enhance scan accuracy, performance, and user experience.
Send notifications — transactional emails (scan results, billing receipts) and occasional product updates. You can opt out of non-essential communications at any time. Unsubscribe requests are processed immediately upon receipt.
Enforce terms and prevent abuse — detecting and preventing misuse of the platform.

4. Data Retention

Source code is accessed only during the active scan and is not permanently stored. Code snippets may be temporarily held in memory during AI analysis, but are discarded once the scan report is generated.

Specific retention periods for other data categories:

Account data — retained while your account is active, deleted within 30 days of account deletion.
Scan reports and findings — retained while your account is active.
Live-URL scan content — the raw page and bundle content fetched during a live-URL scan is processed transiently and is not persisted after the scan completes; only the submitted URL and the resulting findings are retained, on the same basis as scan reports.
Usage events — retained for 12 months.
CLI tokens — automatically purged when expired (daily cleanup).
Error monitoring data (Sentry) — 30 days (per Sentry's retention policy).

5. Third-Party Services

We use the following third-party services to operate ShipSafe. Each has its own privacy policy governing how they handle data:

Service	Purpose
Clerk	Authentication and user management (GitHub OAuth)
Convex	Database — stores scan reports, account data, and application state
Polar	Checkout, subscription management, and payment processing
Resend	Transactional email delivery
Vercel	Hosting and content delivery
GitHub API	Repository access for code scanning
Anthropic	AI-powered code analysis — code snippets are sent for security analysis during scans
Vercel Analytics	Web performance analytics (cookie-less)
Vercel Speed Insights	Web performance analytics (cookie-less)

Anthropic is used only for AI analysis of GitHub repository code (a paid-tier feature). The live-URL scan is pattern-based and sends no data to Anthropic or any other AI provider. Code snippets sent to Anthropic are used solely for generating your security report. We use API configurations designed to prevent your code from being used for model training, consistent with our commercial agreement with Anthropic. Code is sent over the Anthropic commercial API for the duration of the scan only and is not retained by ShipSafe after the scan completes; Anthropic processes API inputs under its commercial terms and does not train its models on them. Transfers to Anthropic (United States) are covered by the transfer safeguards described in Section 10 (SCCs / UK Addendum and, where applicable, Data Privacy Framework participation). See Anthropic's usage policy for details.

Sub-Processors

The following table details our sub-processors, the data they process, and their locations:

Provider	Purpose	Data Processed	Location
Clerk	Authentication	Email, name, profile	United States
Convex	Database	Account data, scan results	United States
Polar	Billing & subscriptions	Payment info, billing, subscription data	United States
Resend	Transactional email	Email addresses, notification content	United States
Vercel	Hosting	Application data, access logs	United States
Anthropic	AI code analysis	Code snippets (not stored)	United States
GitHub	Repository access	Repository contents	United States
Sentry	Error monitoring & session replay	Error logs, performance data, IP addresses, session replays on errors	United States

Session Replay

When an error occurs while using ShipSafe, Sentry may capture a session replay — a reconstruction of user interactions (clicks, navigation, page content) leading up to the error. Session replays are used solely for debugging and are automatically deleted after 30 days. Sensitive form inputs (passwords, payment details) are masked and never recorded. Session replays are only captured when an error occurs and are not used for analytics, marketing, or user profiling.

6. Data Security

We take reasonable measures to protect your data, including:

Encryption of data in transit (TLS) and at rest.
Access controls limiting who can view or modify production data.
Regular review of third-party service configurations and permissions.
Minimal data collection — we only collect what is necessary to provide the service.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights

You have the right to:

Access your personal data and scan history.
Delete your account and associated data.
Export your scan reports and account information.
Opt out of non-essential communications.

To exercise any of these rights, contact us at support@ship-safe.co.

8. Cookies

ShipSafe uses minimal cookies, primarily for authentication and session management (provided by Clerk). We do not use advertising or tracking cookies. Essential cookies are required for the service to function and cannot be disabled.

Cookie Name	Type	Duration	Purpose	Required
cookie-consent	Essential	1 year	Stores your cookie consent preferences.	Yes
__clerk_db_jwt	Essential	Session	Clerk authentication session token.	Yes
__client_uat	Essential	Session	Clerk client authentication token.	Yes
Sentry cookies	Error Monitoring	Session	Sentry error tracking and session replays. Only set with your consent.	No

When you first visit ShipSafe, a cookie banner lets you accept or reject non-essential cookies. Rejecting is as easy as accepting: the "Essential only" choice is presented with equal prominence to "Accept all," and non-essential cookies (Sentry error monitoring) are not set unless you opt in. You can change your choice at any time using the cookie banner; you do not need to contact us. We do not use advertising or marketing cookies. For performance monitoring, we use Vercel Analytics and Vercel Speed Insights, which are cookie-less and do not track individual users across sites.

Global Privacy Control (GPC): We honor the Global Privacy Control signal. If your browser sends a GPC signal, we treat it as a valid request to opt out of any sale or sharing of personal information (we do not sell or share in any case) and we do not enable non-essential cookies for your session.

9. Children's Privacy

ShipSafe is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

10. International Users & GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply to you.

Legal Bases for Processing (GDPR Article 6)

We process your personal data under the following Article 6(1) legal bases:

Art. 6(1)(b) — Contract performance — processing necessary to provide the ShipSafe service you have signed up for, including running security scans, generating reports, managing your account, and processing payments.
Art. 6(1)(f) — Legitimate interest — improving the service, ensuring security, preventing abuse, and sending transactional communications. Our legitimate interests do not override your fundamental rights and freedoms.
Art. 6(1)(a) — Consent — error monitoring via Sentry (including session replays), which you can withdraw at any time through cookie settings without affecting the lawfulness of prior processing.
Art. 6(1)(c) — Legal obligation — processing required to comply with applicable laws, such as tax and accounting requirements for paid subscriptions.

International Data Transfers

Your data is processed in the United States. For users in the EEA and Switzerland, transfers rely on the European Commission's Standard Contractual Clauses (SCCs, Module Two) executed with our sub-processors. For users in the United Kingdom, transfers rely on the UK International Data Transfer Addendum to the EU SCCs (the UK Addendum) issued by the Information Commissioner's Office, together with the safeguards below.

Where a sub-processor participates in the EU-U.S. Data Privacy Framework (and its UK Extension and Swiss-U.S. counterpart), we also rely on that certification. As supplementary measures we apply encryption in transit (TLS 1.2+), encryption at rest, least-privilege access, and data minimization (source code is processed in memory and not permanently stored).

Transfer Impact Assessment: We maintain an internal assessment of the risks of U.S. transfers (including U.S. government access laws) and the supplementary measures applied per sub-processor. EEA/UK users may request a summary at support@ship-safe.co.

Your Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

Access — obtain confirmation and a copy of the personal data we hold about you.
Rectification — request correction of inaccurate or incomplete data.
Erasure — request deletion of your personal data ("right to be forgotten").
Restriction — request that we limit the processing of your data in certain circumstances.
Portability — receive your data in a structured, machine-readable format and transmit it to another controller.
Objection — object to processing based on legitimate interests or for direct marketing purposes.
Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@ship-safe.co. We will respond within 30 days.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed in violation of applicable data protection law. In the United Kingdom this is the Information Commissioner's Office (ICO, ico.org.uk); in the EEA it is the supervisory authority of your member state; in Switzerland it is the Federal Data Protection and Information Commissioner (FDPIC).

EU / UK Representative

ShipSafe is operated from Israel and is not established in the EU or UK. Where Article 27 of the EU GDPR or the UK GDPR requires a representative, the appointed representative's details will be published here. In the meantime, you can reach us directly for any data-protection matter at support@ship-safe.co.

Automated Decision-Making

ShipSafe's AI-powered scanning involves automated analysis of source code to identify potential security vulnerabilities. This analysis produces informational reports only. No decisions with legal effects or similarly significant effects are made solely by automated means.

AI transparency (EU AI Act): ShipSafe is a deployer of a general-purpose AI model provided by Anthropic (Claude); Anthropic is the model provider. Our scanning is a limited-risk AI use that produces clearly-labelled, AI-generated, informational findings which you should independently verify. We do not use it for high-risk decision-making about individuals.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information Collected

Identifiers — name, email address, GitHub username.
Commercial information — subscription plan, billing history.
Internet or electronic network activity — usage data, pages visited, scan history.
Professional or employment-related information — GitHub profile data, repository information.

Your California Privacy Rights

Right to know — request disclosure of the personal information we collect, use, and share about you.
Right to delete — request deletion of your personal information.
Right to correct — request correction of inaccurate personal information.
Right to opt-out — opt out of the sale or sharing of your personal information.

We do not sell or share personal information for cross-context behavioral advertising as defined by the CCPA/CPRA, and we do not process sensitive personal information for purposes that would require an opt-out.

Your Privacy Choices / Do Not Sell or Share My Personal Information

Because we do not sell or share your personal information, there is nothing to opt out of. You may still submit a request to confirm this, or to exercise any of your rights above (know, delete, correct, limit sensitive information), by emailing support@ship-safe.co with the subject "Privacy Request," or via our contact form. We verify your identity (typically via your account email) and respond within the time required by applicable law. We also honor the Global Privacy Control (GPC) browser signal as a valid opt-out request, and you may use an authorized agent to submit a request on your behalf.

Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a request, contact us at support@ship-safe.co.

12. Additional US State Privacy Rights

In addition to California (CCPA/CPRA), residents of the following US states have privacy rights under their respective state laws:

Virginia — Virginia Consumer Data Protection Act (VCDPA)
Colorado — Colorado Privacy Act (CPA)
Connecticut — Connecticut Data Privacy Act (CTDPA)
Utah — Utah Consumer Privacy Act (UCPA)
Texas — Texas Data Privacy and Security Act (TDPSA)
Oregon — Oregon Consumer Privacy Act (OCPA)
Montana — Montana Consumer Data Privacy Act (MCDPA)

Residents of these states generally have similar rights, including:

Access — confirm whether we process your personal data and obtain a copy.
Delete — request deletion of your personal data.
Correct — request correction of inaccurate personal data.
Opt-out — opt out of the sale of personal data, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects.
Appeal — appeal a denial of a privacy rights request.

We do not sell personal data or use it for targeted advertising or profiling as defined under these state privacy laws.

To exercise any of these rights, contact us at support@ship-safe.co. If you are not satisfied with our response, you may appeal by contacting us again with "Privacy Appeal" in the subject line. We will respond to appeals within the timeframe required by your state's law.

13. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities in accordance with applicable law.

For users in the EEA, UK, or Switzerland, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, as required by GDPR Article 33.

Breach notifications will include:

The nature of the personal data breach.
The likely consequences of the breach.
The measures taken or proposed to address and mitigate the breach.

14. Israeli Privacy Protection Law

ShipSafe is operated by a founder based in Israel. Accordingly, the Israeli Protection of Privacy Law, 5741-1981 — as substantially amended by Amendment No. 13, which entered into force on 14 August 2025 — together with the Privacy Protection Regulations (Data Security), 5777-2017, applies to our processing of personal data. Amendment 13 modernized Israel's privacy framework (broader definitions of "personal information" and "information of especially sensitive nature," enhanced transparency and data-subject rights) and granted the Privacy Protection Authority (PPA) expanded enforcement powers, including significant administrative fines.

Your Rights Under Israeli Law

If Israeli privacy law applies to you, you have the following rights regarding your personal data:

Right of access — you may request to review personal data held about you in our databases.
Right to correction — you may request that we correct or delete inaccurate data.
Right to object — you may object to the use of your personal data for direct marketing purposes and request its removal from marketing databases.
Right to deletion — you may request that we delete your personal data, subject to applicable legal retention requirements.

Data Security

We maintain technical and organizational security measures in compliance with the Privacy Protection Regulations (Data Security), 5777-2017, including access controls, encryption, and incident response procedures. Based on the nature of personal data we process (primarily account identifiers and scan metadata), our database is classified at the "Basic" security level under the 2017 Regulations. We apply security measures that meet or exceed the requirements for this classification level.

Cross-Border Data Transfers

Personal data may be transferred and processed outside of Israel, primarily in the United States. Such transfers are conducted in accordance with the Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001 — relying on the data subject's consent and on our sub-processors' contractual undertakings to protect the data to a standard comparable to Israeli law — together with the safeguards described in Section 10 (SCCs and supplementary measures).

Israel has been recognized by the European Commission as providing an adequate level of data protection (Commission Decision 2011/61/EU). This adequacy decision facilitates lawful data transfers between the European Economic Area (EEA) and Israel without the need for additional safeguards such as Standard Contractual Clauses.

Privacy Protection Officer

Amendment 13 requires certain controllers (such as public bodies, data brokers, and organizations whose core activity involves large-scale processing of sensitive data or systematic monitoring) to appoint a Privacy Protection Officer. We have assessed this requirement; as a small operator processing limited data we fall below those thresholds, and we have designated a privacy contact reachable at support@ship-safe.co for all privacy matters and PPA correspondence.

Security-Incident Notification

In the event of a serious security incident affecting personal data, we will notify the Privacy Protection Authority and affected individuals as required by the Privacy Protection Regulations (Data Security), 5777-2017 and Amendment 13.

Database Registration

Amendment 13 abolished the general obligation to register databases with the Privacy Protection Authority (and the annual-reporting obligation for holders of multiple registrable databases). General database registration is therefore no longer required for our processing; mandatory registration now applies only in limited cases (for example, data brokers), which do not apply to ShipSafe.

Business Registration

ShipSafe is operated by Tomer Goldstein, registered as an Osek Patur (exempt dealer) with the Israel Tax Authority, located at Reut 12B, Hod HaSharon 4529614, Israel.

To exercise any of these rights, contact us at support@ship-safe.co. We will respond within 30 days.

15. Asia-Pacific Privacy Rights

If you are located in the Asia-Pacific region, the following regional provisions apply in addition to the rest of this policy. Across these regions, your personal data and the code you submit for scanning are transferred to and processed in the United States by the sub-processors listed in Section 5 (including Anthropic for AI analysis). By creating an account and running scans, you provide your consent to this cross-border processing; you may withdraw it at any time by closing your account, which may end your ability to use the service.

Data Protection & Grievance Officer

We have designated a Data Protection Officer / Grievance Officer responsible for privacy and for handling complaints, reachable at support@ship-safe.co. We aim to acknowledge requests promptly and resolve grievances within 45 days (or sooner where the law requires).

Singapore (PDPA)

We collect, use, and disclose personal data with notification and, where required, consent, for the purposes described in this policy. For users in Singapore, your personal data is transferred outside Singapore to the United States; by agreeing to this policy you consent to that transfer, and we apply contractual and technical safeguards (Section 5 and Section 10) to provide a comparable standard of protection. Our designated DPO is reachable above.

India (DPDP Act 2023)

We process digital personal data on the basis of your consent, which you may withdraw at any time, and we provide notice of the purposes of processing. You may exercise your rights (access, correction, erasure, grievance redressal, and nomination) by contacting our Grievance Officer above. ShipSafe is not intended for users under 18; we do not knowingly process a child's data without verifiable parental consent.

Japan (APPI)

We notify you of the purpose of use of your personal information and obtain your consent to provide it to the third-party sub-processors in Section 5, including the cross-border transfer to the United States. The United States is not subject to an adequacy determination by Japan; we therefore rely on your consent together with contractual safeguards with each sub-processor.

Australia (Privacy Act / APPs)

Consistent with Australian Privacy Principle 8, we disclose that your personal information may be disclosed to overseas recipients (our U.S. sub-processors in Section 5). We take reasonable steps to ensure those recipients handle your information consistently with the APPs through contractual safeguards. You may complain to us first and, if unsatisfied, to the Office of the Australian Information Commissioner (OAIC).

Mainland China (PIPL) & South Korea (PIPA) — not available

ShipSafe is not offered to users located in mainland China or South Korea, and access from those regions is blocked. Full compliance with the PIPL (China) and PIPA (South Korea) — including locally appointed representatives, native-language consent flows, and, for China, an approved cross-border transfer mechanism — is not currently in place, so we have chosen not to operate there rather than offer a partial service. We may revisit this in the future; until then, users in these regions should not submit personal information or source code to ShipSafe.

16. Record of Processing Activities

We maintain a Record of Processing Activities (ROPA) as required by GDPR Article 30, documenting all categories of processing activities carried out under our responsibility. This record is available upon request to supervisory authorities. For questions, contact support@ship-safe.co.

For a detailed assessment of risks related to our AI-powered scanning, see our Data Protection Impact Assessment (DPIA) below.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last updated" date at the top of this page and, where appropriate, through in-app notifications or email.

Appendix A

Data Processing Agreement

Last updated: June 2026

1. Definitions

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ShipSafe ("Processor," "we," "us") operating at ship-safe.co and the customer ("Controller," "you") who uses the ShipSafe service.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1).
"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
"Controller" means the entity that determines the purposes and means of Processing Personal Data.
"Processor" means the entity that processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
"Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.

2. Scope and Purpose of Processing

ShipSafe is a SaaS security scanner designed for applications built with AI-assisted coding tools. This DPA applies to all Personal Data that the Processor processes on behalf of the Controller in connection with providing the ShipSafe service.

Subject Matter

The Processor provides security scanning and analysis of source code repositories submitted by the Controller, generating security reports and vulnerability assessments.

Nature and Purpose

Personal Data is processed for the purpose of providing the ShipSafe service, including account management, authentication, security scanning, report generation, payment processing, and transactional communications.

Types of Personal Data

Account identifiers (name, email address, GitHub username)
Authentication data (OAuth tokens, session information)
Repository metadata (repository names, scan timestamps, scan results)
Payment and billing information (processed by third-party payment providers)
Usage data (pages visited, feature usage, device information)

Categories of Data Subjects

Customers and end users of the ShipSafe service
Developers whose repositories are submitted for scanning

Duration

Processing continues for the duration of the Controller's use of the ShipSafe service, plus any retention period required by law or described in Section 9 of this DPA.

3. Data Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Section 7 of this DPA.
Assist the Controller in fulfilling its obligation to respond to Data Subject requests, as described in Section 6 of this DPA.
Assist the Controller in ensuring compliance with its obligations regarding security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
At the choice of the Controller, delete or return all Personal Data upon termination of the service, unless retention is required by applicable law.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection provisions.

4. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days.

The Processor has engaged the following sub-processors:

Sub-processor	Purpose	Data Processed	Location
Convex	Database	Account data, scan reports, application state	United States
Clerk	Authentication	Email, name, GitHub profile, session tokens	United States
Anthropic	AI-powered code analysis	Code snippets (transient, not stored)	United States
Resend	Transactional email	Email addresses, notification content	United States
Polar	Payments & subscription management	Payment info, billing data, subscription state	United States
GitHub	Code access via OAuth	Repository contents, OAuth tokens	United States
Sentry	Error monitoring, performance tracking	Error logs, IP addresses, session replays	United States
Vercel	Hosting and edge compute	Request logs, IP addresses	United States

The Processor shall impose the same data protection obligations as set out in this DPA on each sub-processor by way of a contract, ensuring that each sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.

The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

5. Controller Obligations

The Controller shall:

Ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents have been obtained from Data Subjects where required.
Provide documented processing instructions to the Processor.
Ensure that repositories submitted for scanning do not contain Personal Data beyond what is necessary, or that appropriate safeguards are in place where they do.
Comply with its obligations under applicable data protection laws, including GDPR.

6. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including:

Right of access — obtaining confirmation and a copy of Personal Data being processed.
Right to rectification — correcting inaccurate or incomplete Personal Data.
Right to erasure — deleting Personal Data ("right to be forgotten").
Right to restriction of processing — limiting the processing of Personal Data in certain circumstances.
Right to data portability — receiving Personal Data in a structured, commonly-used, machine-readable format.
Right to object — objecting to processing based on legitimate interests or for direct marketing.

The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to the request without the Controller's prior written authorization, unless required by applicable law.

Data Subject requests can be submitted to support@ship-safe.co and will be addressed within 30 days.

7. Data Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data, in accordance with GDPR Article 32:

Technical Measures

Encryption of data in transit using TLS 1.2 or higher.
Encryption of data at rest in all databases and storage systems.
Source code submitted for scanning is processed in memory and is not stored permanently. Code is discarded once the security report is generated.
Role-based access controls limiting access to production systems and Personal Data.
Regular security assessments and vulnerability scanning of our own infrastructure.
Automated monitoring and alerting for anomalous access patterns.

Organizational Measures

Principle of least privilege for all personnel with access to Personal Data.
Confidentiality obligations for all personnel who process Personal Data.
Regular review of third-party service configurations and access permissions.
Data minimization — we collect and process only the Personal Data necessary to provide the service.
Documented incident response procedures for handling data breaches.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach, in accordance with GDPR Article 33.

The notification shall include:

A description of the nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned.
The name and contact details of the Processor's point of contact for further information.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data breach.

9. International Data Transfers

Personal Data is processed primarily in the United States. For Controllers and Data Subjects located in the European Economic Area (EEA), United Kingdom, or Switzerland, the Processor ensures that appropriate safeguards are in place for international transfers of Personal Data.

Transfer Mechanisms

Standard Contractual Clauses (SCCs) — the Processor uses the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) for transfers of Personal Data to third countries that do not have an adequate level of data protection, as approved by Commission Implementing Decision (EU) 2021/914.
Sub-processor agreements — the Processor ensures that all sub-processors listed in Section 4 maintain equivalent data transfer safeguards, including SCCs where applicable.
Supplementary measures — the Processor implements additional technical and organizational measures (such as encryption and access controls) to supplement transfer mechanisms where necessary.

The Processor shall promptly inform the Controller if it becomes aware of any changes in applicable law that may affect the validity of the transfer mechanisms in place.

10. Duration and Termination

This DPA shall remain in effect for the duration of the Controller's use of the ShipSafe service. Upon termination of the service:

The Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller within 30 days of receiving a written request, unless applicable law requires further retention.
The Processor shall delete existing copies of Personal Data unless applicable law requires storage of the Personal Data.
Upon request, the Processor shall provide written certification of deletion to the Controller.

Obligations relating to confidentiality, data security, and cooperation with supervisory authorities shall survive the termination of this DPA.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for obligations that cannot be limited under applicable data protection law.

12. Record of Processing Activities

The Controller maintains a Record of Processing Activities in accordance with Art. 30 GDPR. The Processor maintains its own Record of Processing Activities documenting all categories of processing carried out on behalf of Controllers, available upon request to supervisory authorities.

Appendix B

Data Protection Impact Assessment

GDPR Article 35 — Last updated: June 2026

1. Description of Processing

What Data Is Processed

ShipSafe's AI-powered scanning processes source code from GitHub repositories submitted by the user. The data sent to the AI model (Anthropic Claude) includes:

Source code files from the specified repository (read-only access via GitHub API)
File paths and directory structure metadata
Repository name and scan configuration parameters

Source code may incidentally contain personal data such as developer names in comments, email addresses in configuration files, or hardcoded credentials (which the scan aims to detect and flag).

Purpose of Processing

The purpose of AI scanning is to identify potential security vulnerabilities, misconfigurations, and risks in user-submitted source code. The AI model analyzes code patterns and produces a plain-English security report with findings and remediation recommendations.

Technology Used

ShipSafe uses Anthropic's Claude API for AI-powered code analysis. Code snippets are sent via encrypted API calls and processed in real-time. Anthropic does not use API inputs for model training (per their commercial API terms).

2. Necessity and Proportionality Assessment

Necessity

AI-powered scanning is necessary to provide the core value of ShipSafe: identifying complex security vulnerabilities that rule-based scanners cannot detect. Users explicitly initiate each scan by submitting a repository URL, providing clear informed consent for code analysis.

Proportionality

User-initiated: Scanning only occurs when a user explicitly submits a repository. We do not proactively scan or index repositories.
Minimal data: Only source code necessary for security analysis is processed. We do not analyze commit history, pull requests, issues, or other repository metadata beyond what is needed.
No permanent storage of code: Source code is processed in-memory and discarded after the scan report is generated. Only findings and metadata are retained.
Transient API processing: Code sent to Anthropic's API is processed in real-time and not retained by Anthropic beyond the API request lifecycle.

3. Risks to Data Subjects

Risk	Likelihood	Severity	Description
Code exposure in transit	Low	High	Source code could be intercepted during transmission to the AI provider.
Incidental personal data in code	Medium	Low	Code may contain developer names, emails, or other personal data in comments or configuration files.
False positive findings	Medium	Low	AI may incorrectly flag secure code as vulnerable, potentially causing unnecessary remediation effort.
False negative findings	Medium	Medium	AI may fail to detect actual vulnerabilities, leading to a false sense of security.
Prompt injection via code	Low	Medium	Malicious code could attempt to manipulate the AI model's behavior through embedded instructions.
Unauthorized repository scanning	Low	High	A user could submit a repository they do not have authorization to scan.

4. Mitigation Measures

Encryption and Transport Security

All API calls to Anthropic use TLS 1.2+ encryption in transit.
GitHub API access uses encrypted OAuth tokens.
No source code is stored at rest — code is held only in memory during active scanning.

No Code Storage

Source code is processed in-memory and discarded after the scan completes.
Only structured findings (vulnerability title, severity, file path, description) are persisted in the database.
Anthropic's commercial API does not retain inputs beyond the request lifecycle and does not use them for model training.

Prompt Injection Defense

The AI scanning prompt uses structured system instructions that separate code content from analysis directives.
Code is provided to the AI as data context, not as executable instructions.
Output is validated and structured before being presented to users.

Access Controls

Users can only scan repositories they have access to via their authenticated GitHub account.
Scan results are private to the user who initiated the scan.
GitHub OAuth tokens are stored securely via Clerk and are never exposed to the client.

Transparency and User Control

Users are informed that AI analysis is performed by Claude (Anthropic) at the point of scan.
Scan results clearly state that findings are AI-generated and should be independently verified.
Users can delete their scan data at any time through their account settings or by contacting support.

5. Conclusion

Based on this assessment, the residual risk of ShipSafe's AI-powered scanning to data subjects is low. The processing is user-initiated, transient (no code storage), encrypted in transit, and subject to Anthropic's commercial data protection commitments. The informational nature of scan results means no automated decisions with legal or similarly significant effects are made. We will review this DPIA annually or when material changes are made to the scanning process.

17. Contact

ShipSafe is operated by Tomer Goldstein, a sole proprietor doing business as ShipSafe. The data controller for the purposes of GDPR and applicable data protection law is Tomer Goldstein.

Data Controller & Legal Contact

Tomer Goldstein d/b/a ShipSafe

Reut 12B, Hod HaSharon 4529614, Israel

Email: support@ship-safe.co