Security at Tachyon

Tachyon connects to your repositories through a GitHub App with read-only access. We cannot push code, modify branches, or change repository settings.

When a scan runs, your code is pulled into an isolated sandbox environment created specifically for that analysis. Code is never written to persistent storage or shared infrastructure. When the analysis completes, the sandbox is destroyed — along with all copies of your code.

We do not retain your source code after analysis. The only outputs that persist are the security findings and review comments we generate for your use.

Each analysis runs in a dedicated, isolated sandbox. Sandboxes are not shared between customers or between analyses. Each one is provisioned on demand and torn down after use.

Sandboxes have no outbound network access. Your code cannot be exfiltrated during analysis, even in the event of a sandbox escape.

Our analysis is agentic — powered by large language models that read, reason about, and in some cases execute code paths to validate whether a vulnerability is actually exploitable. This is fundamentally different from pattern-matching tools (SAST) that flag syntax without understanding context.

Tachyon uses Claude (Anthropic) as its underlying language model. All code sent to the LLM is covered by Anthropic's zero-retention API policy: your code is not stored by Anthropic, not used for model training, and not accessible to other customers.

Security findings, PR review comments, and scan metadata are stored in Tachyon's database so you can access your results. You can request deletion of this data at any time.

We're building toward SOC 2 Type II certification. Our current security controls include:

• Encrypted data in transit (TLS) and at rest
• Role-based access control with least-privilege defaults
• Ephemeral, network-isolated sandbox environments
• No persistent storage of customer source code
• Anthropic zero-retention API policy for LLM interactions

If you have specific compliance requirements (SOC 2, ISO 27001, GDPR), we're happy to discuss our controls and roadmap in detail.

If you discover a security issue in Tachyon itself, please report it to security@tachyonsec.com. We take all reports seriously and will respond promptly.

We practice what we preach. Tachyon has responsibly disclosed critical vulnerabilities in widely-used open-source projects. See our Wall of Fame for examples.